myCred Points Management System Missing Authorization Vulnerability in CashCred Module

A missing authorization vulnerability has been identified in the myCred Points Management System for WordPress, specifically in versions through 2.9.7. This vulnerability allows unauthenticated users to approve withdrawal requests, alter user point balances, and interfere with the payment processing system. The issue arises from the plugin's failure to properly verify user authorization for actions performed via the cashcred_pay_now AJAX endpoint.

Impact

Exploitation of this vulnerability allows for unauthorized approval of withdrawal requests, modification of user point balances, and manipulation of the payment processing system within the affected WordPress site.

Reproduction

To reproduce this vulnerability, send a POST request to the 'wp_ajax_nopriv_cashcred_pay_now' action without the necessary authorization. Include the 'post_ID' and 'cashcred_pay_method' parameters. The absence of a valid nonce or user authentication will bypass the authorization checks, allowing the request to be processed.

Remediation

Users are advised to update the myCred Points Management System plugin to version 2.9.7.1 or later.