CVE-2025-12361
📋 TL;DR
This vulnerability in the myCred WordPress plugin allows authenticated attackers with Subscriber-level access or higher to retrieve sensitive user information including IDs, display names, and email addresses. The plugin fails to properly verify user authorization for the get_bank_accounts AJAX action. All WordPress sites using vulnerable versions of myCred are affected.
💻 Affected Systems
- myCred - Points Management System For Gamification, Ranks, Badges, and Loyalty Program
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could harvest all user email addresses and display names for phishing campaigns, spam, or credential stuffing attacks against other services.
Likely Case
Attackers will collect user email addresses and display names for targeted spam or phishing campaigns.
If Mitigated
With proper access controls and monitoring, impact is limited to potential privacy violation and minor data exposure.
🎯 Exploit Status
Exploitation requires authenticated access but is simple to execute via crafted AJAX requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.7.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3421768/mycred/trunk?contextall=1&old=3417299&old_path=%2Fmycred%2Ftrunk
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find myCred plugin and click 'Update Now'. 4. Verify plugin version is 2.9.7.2 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the get_bank_accounts AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_get_bank_accounts', 'mycred_service_central_ajax_get_bank_accounts');
Add to .htaccess if using Apache: RewriteCond %{QUERY_STRING} action=get_bank_accounts [NC] RewriteRule .* - [F,L]
Restrict user registration
allTemporarily disable new user registration to prevent attacker account creation
In WordPress admin: Settings > General > uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement web application firewall rules to block requests to the vulnerable AJAX endpoint
- Monitor user accounts and audit logs for suspicious data access patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for myCred version. If version is 2.9.7.1 or lower, you are vulnerable.Check Version:
wp plugin list --name=mycred --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify myCred version is 2.9.7.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple AJAX requests to /wp-admin/admin-ajax.php with action=get_bank_accounts
- Unusual data export patterns from authenticated users
Network Indicators:
- HTTP POST requests to admin-ajax.php with action=get_bank_accounts parameter
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "get_bank_accounts"🔗 References
- https://plugins.trac.wordpress.org/browser/mycred/tags/2.9.5.1/addons/banking/services/mycred-service-central.php#L172
- https://plugins.trac.wordpress.org/changeset/3421768/mycred/trunk?contextall=1&old=3417299&old_path=%2Fmycred%2Ftrunk
- https://www.wordfence.com/threat-intel/vulnerabilities/id/43b05697-bc36-4f32-86b4-2feef892fe42?source=cve
