CVE-2025-12361 identifies a Missing Authorization vulnerability (CWE-862) in the myCred – Points Management System plugin for WordPress, which is widely used for gamification, ranks, badges, and loyalty programs. The vulnerability exists because the plugin fails to properly verify whether an authenticated user has the necessary permissions to perform certain actions, specifically the get_bank_accounts AJAX action. This flaw allows any authenticated user with at least Subscriber-level privileges to access sensitive information about all users on the site, including user IDs, display names, and email addresses. The vulnerability does not expose passwords or allow modification of data, but it compromises confidentiality by leaking personal information. The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts confidentiality only. The vulnerability affects all versions up to 2.9.7.1, and no patches or exploit code are currently publicly available. The flaw is significant because Subscriber-level access is commonly granted to registered users, meaning that an attacker does not need elevated privileges to exploit it. This can facilitate targeted phishing, social engineering, or further attacks leveraging the exposed user data. The plugin’s role in managing points and loyalty programs makes it a common component in WordPress sites that engage users through gamification, increasing the potential impact of this vulnerability on community and membership sites.

For European organizations, the exposure of user IDs, display names, and email addresses can lead to privacy violations and non-compliance with the EU General Data Protection Regulation (GDPR), which mandates strict controls over personal data. The leak of email addresses and user identities can facilitate spear-phishing campaigns, social engineering attacks, and targeted fraud. Organizations relying on myCred for user engagement risk reputational damage and loss of user trust if this vulnerability is exploited. Although passwords are not exposed, the information leaked is sufficient to compromise user privacy and potentially enable further attacks. The vulnerability does not affect system availability or integrity directly but undermines confidentiality. European companies with active membership or community websites using WordPress and myCred are particularly vulnerable. The medium severity indicates a moderate risk that should be addressed promptly to avoid escalation or chained attacks.

1. Immediately update the myCred plugin to a version where this vulnerability is patched once available. Monitor vendor announcements for patch releases. 2. If a patch is not yet available, restrict access to the get_bank_accounts AJAX action by implementing custom authorization checks at the WordPress level, ensuring only trusted roles (e.g., administrators) can invoke it. 3. Limit Subscriber-level user capabilities where possible, reducing unnecessary permissions that could be exploited. 4. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious AJAX requests targeting this endpoint. 5. Conduct regular audits of user roles and permissions to ensure minimal privilege principles are enforced. 6. Monitor logs for unusual access patterns to the AJAX endpoint to detect potential exploitation attempts. 7. Educate site administrators about the risks of installing plugins without strict access controls and encourage security best practices in plugin management. 8. Consider disabling or replacing the myCred plugin if it is not essential, or if a timely patch is unavailable.