CVE-2025-15260 is a vulnerability classified under CWE-862 (Missing Authorization) found in the MyRewards – Loyalty Points and Rewards for WooCommerce plugin for WordPress, affecting all versions up to and including 5.6.0. The root cause is the plugin's failure to properly verify user authorization within its AJAX handling function. This flaw allows any authenticated user with subscriber-level privileges or higher to bypass intended access controls and perform unauthorized actions such as adding, modifying, or deleting loyalty program earning rules. Specifically, attackers can manipulate point multipliers to arbitrary values, effectively enabling them to fraudulently increase loyalty points. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 score of 6.5 reflects a medium severity, with the vector indicating network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to the integrity of loyalty point systems, potentially leading to financial losses and reputational damage for affected e-commerce sites. The plugin is widely used in WooCommerce-based WordPress stores, which are prevalent globally, especially in countries with large e-commerce markets. The lack of a patch at the time of this report necessitates immediate mitigation efforts.

The primary impact of CVE-2025-15260 is on the integrity of loyalty program data within affected WooCommerce stores. Attackers can manipulate loyalty point earning rules and multipliers, allowing fraudulent accumulation or redemption of points. This can lead to direct financial losses for merchants due to unauthorized discounts or rewards. Additionally, the trustworthiness of the loyalty program can be undermined, damaging customer confidence and brand reputation. Since the vulnerability requires only subscriber-level authentication, it lowers the barrier for exploitation, increasing risk especially in environments where subscriber accounts are easily created or compromised. There is no direct impact on confidentiality or availability, but the integrity breach can indirectly affect business operations and customer relationships. Organizations relying on this plugin for customer loyalty management face risks of fraud, revenue loss, and potential regulatory scrutiny if customer data or transactions are affected.

To mitigate CVE-2025-15260, organizations should immediately upgrade the MyRewards plugin to a version that includes proper authorization checks once available from the vendor. Until a patch is released, administrators should restrict subscriber-level account creation and monitor for suspicious activity related to loyalty point modifications. Implementing web application firewalls (WAFs) with custom rules to detect and block unauthorized AJAX requests targeting loyalty rule endpoints can reduce risk. Additionally, auditing user roles and permissions to ensure minimal necessary access is granted can limit potential exploitation. Logging and alerting on changes to loyalty program configurations should be enabled to detect unauthorized modifications promptly. Organizations may also consider temporarily disabling the loyalty program features if feasible, or isolating the plugin’s AJAX endpoints behind additional authentication layers. Regular security reviews and penetration testing focused on authorization controls in plugins are recommended to prevent similar issues.