myCred Points Management System Missing Authorization Vulnerability

A missing authorization vulnerability has been identified in the myCred Points Management System for Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress, affecting versions through 2.9.7.1. The vulnerability arises because the plugin fails to properly verify user authorization for certain actions. This flaw allows authenticated attackers with Subscriber-level access or higher to access sensitive information, such as user IDs, display names, and email addresses of all users on the site, through the get_bank_accounts AJAX action. Notably, passwords are not exposed.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive user information, including IDs, display names, and email addresses, for all users on the site.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the get_bank_accounts AJAX action. This request can be made through the WordPress admin interface or by using a tool that allows for AJAX requests, such as Postman. The response will include sensitive information about all users on the site, demonstrating the missing authorization issue.

Remediation

Users are advised to update the myCred Points Management System plugin to version 2.9.7.2 or a newer patched version.