CVE-2026-13450
Received Received - Intake

Insecure Direct Object Reference in GamiPress WordPress Plugin

Vulnerability report for CVE-2026-13450, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Wordfence

Description

The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view private GamiPress activity log entries belonging to any user, including badge earnings, points balance changes, and event records from integrated plugins such as WooCommerce, LearnDash, and BuddyPress. This is exploitable by any unauthenticated visitor because the required 'gamipress' nonce is broadcast to all front-end users via wp_localize_script on the wp_enqueue_scripts hook, making the sole authentication barrier trivially bypassable.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gamipress gamification_plugin to 7.9.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the GamiPress – Gamification plugin for WordPress, specifically in all versions up to and including 7.9.4. It is an Insecure Direct Object Reference (IDOR) issue caused by missing validation on a user-controlled 'access' parameter.

This flaw allows unauthenticated attackers to view private GamiPress activity log entries of any user. These logs include badge earnings, points balance changes, and event records from integrated plugins such as WooCommerce, LearnDash, and BuddyPress.

The vulnerability is exploitable by any unauthenticated visitor because the required 'gamipress' nonce, which should act as an authentication barrier, is broadcast to all front-end users and can be trivially bypassed.

Impact Analysis

This vulnerability can impact you by allowing unauthorized individuals to access private user activity logs within the GamiPress plugin.

  • Exposure of sensitive user data such as badge earnings and points balance changes.
  • Disclosure of event records from integrated plugins like WooCommerce, LearnDash, and BuddyPress.

Since the attacker does not need to be authenticated, this could lead to privacy violations and potential misuse of user information.

Compliance Impact

The vulnerability allows unauthenticated attackers to view private user activity logs, including badge earnings, points balance changes, and event records. This exposure of personal user data could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information from unauthorized access.

Since the vulnerability enables unauthorized access to private user data, organizations using the affected plugin may face risks related to data privacy and confidentiality mandates under these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13450. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart