CVE-2025-64267
📋 TL;DR
This vulnerability in the WooCommerce Ultimate Points And Rewards plugin exposes sensitive system information to unauthorized users. Attackers can retrieve embedded sensitive data from affected WordPress sites. All sites running vulnerable versions of this plugin are affected.
💻 Affected Systems
- WooCommerce Ultimate Points And Rewards WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain sensitive system information that could be used for reconnaissance, privilege escalation, or as part of a larger attack chain.
Likely Case
Unauthorized users access internal system details, configuration data, or other sensitive information embedded in plugin responses.
If Mitigated
Limited exposure of non-critical system information with minimal impact on overall security posture.
🎯 Exploit Status
Based on CWE-497 and CVSS 4.3 score, exploitation appears straightforward but requires specific conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.10.2
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'WooCommerce Ultimate Points And Rewards'
4. Click 'Update Now' if available
5. If no update available, download latest version from WordPress repository
6. Deactivate and delete old version
7. Upload and activate new version
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate woocommerce-ultimate-points-and-rewards
Restrict Access
allUse web application firewall to block requests to vulnerable endpoints
🧯 If You Can't Patch
- Implement strict access controls and network segmentation
- Deploy web application firewall with specific rules for this vulnerability
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'WooCommerce Ultimate Points And Rewards' versionCheck Version:
wp plugin get woocommerce-ultimate-points-and-rewards --field=versionVerify Fix Applied:
Verify plugin version is greater than 2.10.2 in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual requests to plugin endpoints
- Multiple failed attempts to access sensitive data paths
Network Indicators:
- Traffic patterns targeting plugin-specific URLs
- Unusual data retrieval from plugin endpoints
SIEM Query:
source="wordpress" AND (uri_path="*points-and-rewards*" OR user_agent="*scanner*")