The vulnerability identified as CVE-2025-15260 affects the MyRewards – Loyalty Points and Rewards for WooCommerce plugin, a popular WordPress extension used to manage loyalty points and rewards in e-commerce stores. The root cause is a missing authorization check (CWE-862) in the plugin's AJAX handler function, which fails to verify whether the authenticated user has the necessary permissions to perform certain actions. As a result, any authenticated user with subscriber-level access or above can exploit this flaw to manipulate loyalty program earning rules. This includes adding new rules, modifying existing ones, deleting rules, and setting point multipliers to arbitrary values. The vulnerability is remotely exploitable over the network without requiring user interaction, increasing its risk profile. The CVSS 3.1 base score is 6.5, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N). Although no public exploits have been reported, the ability to alter loyalty points undermines the integrity of the rewards system, potentially leading to financial losses and reputational damage. The vulnerability affects all versions up to and including 5.6.0 of the plugin. No official patches have been linked yet, so mitigation currently relies on compensating controls.

For European organizations, particularly those operating e-commerce platforms using WooCommerce with the MyRewards plugin, this vulnerability poses a significant risk to the integrity of their loyalty programs. Attackers with minimal privileges can manipulate loyalty points, potentially granting themselves or others undue rewards, which can lead to financial losses and erosion of customer trust. The integrity compromise could also facilitate fraudulent transactions or abuse of referral and review incentives, distorting marketing analytics and customer engagement metrics. Since the vulnerability does not impact confidentiality or availability, data breaches or service outages are less likely. However, the reputational damage and financial impact from loyalty program abuse can be substantial. Given the widespread use of WooCommerce in Europe, especially in countries with mature e-commerce markets, the threat is relevant and should be addressed promptly to prevent exploitation.

1. Monitor for plugin updates from lwsdevelopers and apply patches immediately once available to address the missing authorization check. 2. Until a patch is released, restrict access to the WordPress admin and subscriber roles by enforcing strict role-based access controls and minimizing the number of users with subscriber or higher privileges. 3. Implement web application firewall (WAF) rules to detect and block suspicious AJAX requests targeting the loyalty program endpoints. 4. Audit and monitor loyalty program rule changes regularly to detect unauthorized modifications, using logging and alerting mechanisms. 5. Consider temporarily disabling the MyRewards plugin if the loyalty program is not critical or if compensating controls cannot be effectively implemented. 6. Educate site administrators about the risk and encourage strong password policies and multi-factor authentication to reduce the risk of compromised accounts. 7. Review and harden WordPress security configurations, including limiting plugin installation and updates to trusted personnel only.