CVE-2025-12362
myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program <= 2.9.7 - Missing Authorization to Unauthenticated Withdrawal Request Approval
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to approve withdrawal requests, modify user point balances, and manipulate the payment processing system via the cashcred_pay_now AJAX action.
| CWE | CWE-862 |
| Vendor | saadiqbal |
| Product | points management system for gamification, ranks, badges, and loyalty rewards program – mycred |
| Published | Dec 13, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for saadiqbal points management system for gamification, ranks, badges, and loyalty rewards program – mycred
Be the first to know when new medium vulnerabilities affecting saadiqbal points management system for gamification, ranks, badges, and loyalty rewards program – mycred are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
saadiqbal / Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred
0 ≤ 2.9.7
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/af54654b-60af-446d-b170-ee0a1ebed22c?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mycred/tags/2.9.5.1/addons/cash-creds/modules/cashcred-module-core.php#L141 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3417299/mycred/trunk?contextall=1&old=3410754&old_path=%2Fmycred%2Ftrunk#file0
Credits
Rafshanzani Suhada