The vulnerability identified as CVE-2025-13812 affects the GamiPress – Gamification plugin for WordPress, which is widely used to reward points, achievements, badges, and ranks on WordPress sites. The core issue is a missing authorization check (CWE-862) in two AJAX handler functions: gamipress_ajax_get_posts and gamipress_ajax_get_users. These functions fail to verify whether the authenticated user has the appropriate capabilities before processing requests, allowing any user with at least Subscriber-level privileges to enumerate sensitive data. Specifically, attackers can retrieve lists of users including their email addresses and titles of private posts, which should normally be restricted. The vulnerability does not permit modification or deletion of data, nor does it affect site availability. Exploitation requires authentication but no additional user interaction, and the attack vector is network-based (remote). The CVSS 3.1 base score is 4.3, reflecting low complexity and limited confidentiality impact. No public exploits have been reported yet, and no patches were linked at the time of disclosure. The vulnerability affects all versions up to and including 7.6.1 of the plugin. Given the plugin’s role in gamification, sites with active user engagement and private content are particularly vulnerable to data leakage that could be leveraged for phishing or further attacks.

For European organizations, the primary impact is the unauthorized disclosure of user email addresses and private post titles, which can undermine user privacy and trust. This data leakage can facilitate targeted phishing campaigns, social engineering, or identity theft. While the vulnerability does not allow data modification or service disruption, the exposure of private information can have regulatory implications under GDPR, potentially leading to fines and reputational damage. Organizations running community-driven or membership-based WordPress sites using GamiPress are at higher risk, especially if Subscriber-level accounts are widely granted. The impact is more pronounced for sectors handling sensitive or proprietary information, such as education, healthcare, and professional associations. Since the vulnerability requires authenticated access, the risk is mitigated somewhat by controlling user registrations and permissions. However, compromised or malicious low-privilege accounts could exploit this flaw to gather intelligence on users and private content.

Organizations should immediately audit their WordPress installations to identify the presence and version of the GamiPress plugin. Until an official patch is released, administrators should restrict Subscriber-level user registrations or reduce the permissions granted to such accounts to prevent exploitation. Implementing strong user authentication and monitoring for unusual AJAX requests targeting gamipress_ajax_get_posts and gamipress_ajax_get_users endpoints can help detect exploitation attempts. Employing Web Application Firewalls (WAFs) with custom rules to block unauthorized access to these AJAX handlers is advisable. Additionally, organizations should review and minimize the exposure of private posts and sensitive user data within the plugin’s scope. Once a patch becomes available, prompt application is critical. Regularly updating WordPress core and plugins, enforcing the principle of least privilege, and educating users about phishing risks will further reduce the threat.