The myCred plugin for WordPress, widely used to manage points, gamification, ranks, badges, and loyalty programs, contains a vulnerability identified as CVE-2025-12362. This vulnerability is classified under CWE-862 (Missing Authorization) and affects all versions up to and including 2.9.7. The root cause is the plugin's failure to properly verify whether a user is authorized to perform certain sensitive actions. Specifically, the cashcred_pay_now AJAX action does not enforce authorization checks, allowing unauthenticated attackers to approve withdrawal requests, alter user point balances, and manipulate payment processing workflows. This can lead to unauthorized financial transactions or fraudulent point redemptions. The vulnerability is remotely exploitable without requiring any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the lack of confidentiality and availability impact but significant integrity impact. No patches or known exploits are currently reported, but the vulnerability's nature makes it a target for attackers aiming to exploit loyalty or payment systems integrated with WordPress sites. Organizations relying on myCred for customer engagement or financial incentives should consider this a priority vulnerability.

For European organizations, the impact primarily concerns the integrity of loyalty and payment systems integrated via the myCred plugin. Unauthorized manipulation of point balances and withdrawal approvals can lead to financial losses, fraud, and reputational damage. E-commerce platforms, membership sites, and businesses using gamification to drive customer engagement are particularly at risk. The vulnerability could be exploited to fraudulently redeem points or withdraw funds, undermining trust in the platform and potentially causing regulatory scrutiny under GDPR if customer data or transactions are affected indirectly. While availability and confidentiality are not directly impacted, the financial and operational consequences of integrity breaches can be significant. The risk is heightened for organizations with high transaction volumes or those operating in competitive markets where loyalty programs are critical to customer retention.

1. Immediately restrict access to the cashcred_pay_now AJAX endpoint by implementing server-side access controls, such as IP whitelisting or requiring authentication tokens, until a patch is available. 2. Monitor logs for unusual activity related to point withdrawals or balance changes, setting alerts for anomalous patterns. 3. Disable or limit the use of the myCred plugin's withdrawal and payment features if not essential. 4. Apply principle of least privilege by ensuring only authorized roles can initiate withdrawal requests or modify points. 5. Engage with the plugin vendor or community to obtain and apply security patches as soon as they are released. 6. Conduct a security audit of all AJAX endpoints in WordPress installations to verify proper authorization checks are in place. 7. Educate site administrators about the risks and encourage regular updates of plugins and themes to reduce exposure to similar vulnerabilities.