Insecure Direct Object Reference in GamiPress Plugin for WordPress
CVE-2026-13450

5.3MEDIUM

What is CVE-2026-13450?

The GamiPress plugin, utilized for gamifying user experience by rewarding points and achievements on WordPress, is susceptible to an Insecure Direct Object Reference vulnerability. This issue allows unauthenticated attackers to access private GamiPress activity log entries of any user by manipulating the 'access' parameter without proper validation. Consequently, attackers can view sensitive data such as badge earnings, changes to points balances, and event records linked to integrated plugins like WooCommerce, LearnDash, and BuddyPress. The vulnerability arises from the exposure of the 'gamipress' nonce, which is available to all front-end users, allowing easy bypass of authentication measures.

Affected Version(s)

GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress 0 <= 7.9.4

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Niv Kochan
.