The GamiPress – Gamification plugin for WordPress, used to reward points, achievements, badges, and ranks, contains a missing authorization vulnerability identified as CVE-2025-13812. Specifically, the plugin's AJAX handler functions gamipress_ajax_get_posts and gamipress_ajax_get_users lack proper capability checks, allowing any authenticated user with at least Subscriber-level privileges to access sensitive data. This includes enumerating all users on the WordPress site along with their email addresses and retrieving titles of private posts, which are normally restricted. The vulnerability stems from CWE-862 (Missing Authorization), meaning the plugin fails to verify whether the requesting user has permission to access the requested resources. The issue affects all versions up to 7.6.1, with no patch currently available. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts confidentiality only. The flaw does not allow data modification or denial of service. Although no known exploits are reported, the vulnerability could be leveraged for reconnaissance and targeted attacks against WordPress sites using this plugin.

This vulnerability primarily impacts the confidentiality of user and content data on WordPress sites using the GamiPress plugin. Unauthorized enumeration of user emails and private post titles can lead to privacy breaches and facilitate social engineering, phishing campaigns, or targeted attacks against site users and administrators. Organizations relying on GamiPress for gamification features may inadvertently expose sensitive information to low-privilege authenticated users, including subscribers or registered users. While the integrity and availability of the system are not directly affected, the information disclosure could undermine trust and compliance with data protection regulations such as GDPR. The scope includes any WordPress site with the vulnerable plugin version installed, which could be widespread given WordPress's global popularity. Attackers with minimal privileges can exploit this remotely without user interaction, increasing the risk of automated reconnaissance. The absence of a patch means the vulnerability remains exploitable until fixed, necessitating immediate mitigation steps.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict user registrations and limit Subscriber-level accounts to trusted users only, reducing the pool of potential attackers. 2) Employ a Web Application Firewall (WAF) with custom rules to detect and block suspicious AJAX requests targeting gamipress_ajax_get_posts and gamipress_ajax_get_users endpoints. 3) Disable or remove the GamiPress plugin if gamification features are non-essential, or replace it with alternative plugins that have verified secure authorization controls. 4) Monitor WordPress logs for unusual access patterns or enumeration attempts related to these AJAX functions. 5) Harden WordPress user roles and capabilities to minimize unnecessary privileges. 6) Stay alert for official updates from the plugin vendor and apply patches promptly once available. 7) Consider implementing additional access controls at the server or application level to restrict AJAX endpoint access to authorized roles only. These targeted actions go beyond generic advice and address the specific vectors exploited by this vulnerability.