CVE-2025-12362
📋 TL;DR
This vulnerability allows unauthenticated attackers to manipulate the myCred WordPress plugin's financial systems. Attackers can approve withdrawal requests, modify user point balances, and interfere with payment processing without any authentication. WordPress sites using myCred plugin versions 2.9.7 and earlier are affected.
💻 Affected Systems
- myCred - Points Management System For Gamification, Ranks, Badges, and Loyalty Program WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could drain the site's payment system by approving fraudulent withdrawals, manipulate all user point balances to disrupt gamification systems, and potentially cause financial losses.
Likely Case
Attackers will manipulate point balances to gain unfair advantages in gamification systems and potentially approve small fraudulent withdrawals.
If Mitigated
With proper authentication controls, only authorized administrators can manage withdrawals and point balances, preventing unauthorized manipulation.
🎯 Exploit Status
The vulnerability is in a publicly accessible AJAX endpoint with no authentication checks, making exploitation trivial.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.8 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3417299/mycred/trunk?contextall=1&old=3410754&old_path=%2Fmycred%2Ftrunk#file0
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find myCred plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.9.8+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable cashcred_pay_now AJAX endpoint
allTemporarily block access to the vulnerable AJAX action by modifying WordPress functions.php or using a security plugin.
Add to theme's functions.php: add_action('init', function() { if (isset($_REQUEST['action']) && $_REQUEST['action'] === 'cashcred_pay_now') { wp_die('Access denied', 403); } });
🧯 If You Can't Patch
- Disable the myCred plugin completely until patched
- Implement web application firewall rules to block requests to cashcred_pay_now AJAX endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for myCred version. If version is 2.9.7 or lower, you are vulnerable.Check Version:
wp plugin list --name=mycred --field=version (if WP-CLI installed) or check WordPress admin plugins pageVerify Fix Applied:
After updating, verify myCred plugin version shows 2.9.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=cashcred_pay_now from unauthenticated users
- Unusual withdrawal approvals or point balance changes in myCred logs
Network Indicators:
- HTTP POST requests to admin-ajax.php with cashcred_pay_now parameter from unauthorized IPs
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "cashcred_pay_now" AND NOT (user="authenticated_user")🔗 References
- https://plugins.trac.wordpress.org/browser/mycred/tags/2.9.5.1/addons/cash-creds/modules/cashcred-module-core.php#L141
- https://plugins.trac.wordpress.org/changeset/3417299/mycred/trunk?contextall=1&old=3410754&old_path=%2Fmycred%2Ftrunk#file0
- https://www.wordfence.com/threat-intel/vulnerabilities/id/af54654b-60af-446d-b170-ee0a1ebed22c?source=cve
