CVE-2026-13450
Last modified
CVE-2026-13450 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view private GamiPress activity log entries belonging to any user, including badge earnings, points balance changes, and event records from integrated plugins such as WooCommerce, LearnDash, and BuddyPress. EPSS estimates a 0.41% chance of exploitation in the next 30 days.
Description
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view private GamiPress activity log entries belonging to any user, including badge earnings, points balance changes, and event records from integrated plugins such as WooCommerce, LearnDash, and BuddyPress. This is exploitable by any unauthenticated visitor because the required 'gamipress' nonce is broadcast to all front-end users via wp_localize_script on the wp_enqueue_scripts hook, making the sole authentication barrier trivially bypassable.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| rubengc | GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress | <= 7.9.4 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-13450?
How severe is CVE-2026-13450?
How do I fix CVE-2026-13450?
Related CVEs from 2026
- CVE-2026-13437Insertion of sensitive information into sent data in the AI …6.5
- CVE-2026-1344Tanium addressed an insecure file permissions vulnerability …5.5
- CVE-2026-13441The EventPrime – Events Calendar, Bookings and Tickets plugi…7.2
- CVE-2026-13443The Tutor LMS – eLearning and online course solution plugin …6.4
- CVE-2026-13449IBM Business Automation Manager Open Editions 9.0.0 through …9.1
- CVE-2026-1345IBM Verify Identity Access Container 11.0 through 11.0.2 and…7.3
- CVE-2026-13454The MotoPress Appointment Booking plugin for WordPress is vu…6.5
- CVE-2026-13455PostgreSQL Anonymizer contains a vulnerability that allows u…4.3
- CVE-2026-13459The JetFormBuilder — Dynamic Blocks Form Builder plugin for …5.3
- CVE-2026-1346IBM Verify Identity Access Container 11.0 through 11.0.2 and…7.8
- CVE-2026-13461When coupled with the SSL bypass vulnerability, JavaScript c…9.6
- CVE-2026-13462PayRange Android app, version 7.0.7 and below, contains an S…7.5
Are you affected by CVE-2026-13450?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
