Insecure Direct Object Reference in GamiPress Plugin for WordPress
CVE-2026-13450
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-13450?
The GamiPress plugin, utilized for gamifying user experience by rewarding points and achievements on WordPress, is susceptible to an Insecure Direct Object Reference vulnerability. This issue allows unauthenticated attackers to access private GamiPress activity log entries of any user by manipulating the 'access' parameter without proper validation. Consequently, attackers can view sensitive data such as badge earnings, changes to points balances, and event records linked to integrated plugins like WooCommerce, LearnDash, and BuddyPress. The vulnerability arises from the exposure of the 'gamipress' nonce, which is available to all front-end users, allowing easy bypass of authentication measures.
Affected Version(s)
GamiPress β Gamification plugin to reward points, achievements, badges & ranks in WordPress 0 <= 7.9.4