CVE-2025-12361 is a vulnerability classified under CWE-862 (Missing Authorization) found in the myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program WordPress plugin, versions up to and including 2.9.7.1. The issue stems from the plugin's failure to properly verify that a user is authorized to perform certain actions, specifically within the get_bank_accounts AJAX endpoint. This endpoint can be accessed by authenticated users with Subscriber-level privileges or higher, allowing them to retrieve sensitive information such as user IDs, display names, and email addresses of all users registered on the WordPress site. Notably, passwords are not exposed, mitigating the risk of direct account compromise. The vulnerability requires the attacker to be authenticated but does not require any additional user interaction, making exploitation straightforward once access is obtained. The CVSS v3.1 base score is 4.3 (medium severity), with the vector indicating network attack vector, low attack complexity, privileges required at the level of a subscriber, no user interaction, unchanged scope, and limited confidentiality impact. No public exploits have been reported yet, but the exposure of user data can facilitate further attacks such as phishing or social engineering. The vulnerability affects all versions of the plugin up to 2.9.7.1, and no official patches have been linked at this time. The plugin is commonly used to manage gamification elements like points, ranks, badges, and loyalty programs on WordPress sites, which are popular in various sectors including e-commerce, education, and community platforms.

For European organizations, the primary impact of this vulnerability is the unauthorized disclosure of user information, which can compromise user privacy and violate data protection regulations such as the GDPR. Exposure of user IDs, display names, and email addresses can enable targeted phishing campaigns, social engineering attacks, and identity harvesting. While passwords are not exposed, the leaked information can be leveraged to attempt credential stuffing or spear-phishing attacks. Organizations relying on the myCred plugin for customer engagement or loyalty programs risk reputational damage and potential regulatory penalties if user data is mishandled. The vulnerability does not directly affect system integrity or availability but undermines trust and confidentiality. Given the widespread use of WordPress in Europe and the popularity of gamification plugins, the risk is non-negligible, especially for sectors with large user bases such as retail, education, and online communities. The lack of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

European organizations should immediately verify if their WordPress installations use the myCred plugin at or below version 2.9.7.1. In the absence of an official patch, administrators should consider the following mitigations: restrict plugin access to trusted users only by adjusting WordPress user roles and capabilities to limit Subscriber-level access; implement Web Application Firewall (WAF) rules to monitor and block suspicious AJAX requests targeting get_bank_accounts; disable or restrict AJAX actions related to the plugin if not essential; monitor logs for unusual access patterns or data requests; educate users about phishing risks stemming from leaked information; and maintain regular backups and update the plugin promptly once a patch is released. Additionally, organizations should conduct a privacy impact assessment to evaluate the exposure and notify affected users if necessary under GDPR requirements. Employing multi-factor authentication (MFA) can also reduce the risk of unauthorized authenticated access.