The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program WordPress plugin suffers from a Missing Authorization vulnerability (CWE-862) identified as CVE-2025-12361. This vulnerability exists in all versions up to and including 2.9.7.1 due to the plugin's failure to properly verify that a user is authorized to perform certain actions. Specifically, the get_bank_accounts AJAX action does not enforce adequate permission checks, allowing any authenticated user with at least Subscriber-level privileges to retrieve sensitive information about all users on the WordPress site. The exposed data includes user IDs, display names, and email addresses, but does not include passwords or other highly sensitive credentials. The vulnerability is remotely exploitable over the network (AV:N), requires low attack complexity (AC:L), and only requires privileges of an authenticated user (PR:L) without any additional user interaction (UI:N). The scope is unchanged (S:U), and the impact is limited to confidentiality (C:L) with no impact on integrity or availability. This flaw can lead to privacy violations and facilitate further targeted attacks such as phishing or social engineering. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is widely used in WordPress sites implementing gamification, ranks, badges, and loyalty programs, making the vulnerability relevant to a broad range of organizations using this plugin for user engagement.

The primary impact of CVE-2025-12361 is the unauthorized disclosure of user information including user IDs, display names, and email addresses. While passwords are not exposed, the leaked data can be leveraged by attackers to conduct targeted phishing campaigns, spear phishing, or social engineering attacks against users of the affected sites. Organizations relying on myCred for gamification and loyalty programs may face reputational damage and loss of user trust if user data is leaked. Additionally, attackers with Subscriber-level access could use this information to map user relationships or escalate attacks within the site. The vulnerability does not affect the integrity or availability of the system, so direct service disruption or data manipulation is not expected. However, the breach of confidentiality can have downstream effects, especially in environments with sensitive user bases or regulatory compliance requirements such as GDPR. Since exploitation requires authenticated access, the risk is somewhat mitigated by the need for user credentials, but given that Subscriber-level access is commonly granted to registered users, the attack surface remains significant.

To mitigate CVE-2025-12361, organizations should first upgrade the myCred plugin to a version where this vulnerability is patched once available. In the absence of an official patch, administrators should restrict Subscriber-level user capabilities to the minimum necessary, potentially disabling or limiting access to the get_bank_accounts AJAX action via custom code or security plugins. Implementing a Web Application Firewall (WAF) with rules to detect and block unauthorized AJAX requests targeting this endpoint can reduce risk. Site owners should audit user roles and permissions to ensure that only trusted users have Subscriber or higher privileges. Monitoring logs for unusual AJAX requests or data access patterns can help detect exploitation attempts. Additionally, consider informing users about potential phishing risks stemming from leaked email addresses and encourage vigilance. Regular security assessments and plugin updates are critical to prevent exploitation of similar authorization flaws.