cleantalk
Vulnerabilities and Security Researches

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin, CVE-2025-12361

CVE, Research URL

CVE-2025-12361

Home page URL

Security reports for myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin

Application

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin

Published on
Dec 19, 2025
Research Description
The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive information including user IDs, display names, and email addresses of all users on the site via the get_bank_accounts AJAX action. Passwords are not exposed.
Affected versions
max 2.9.7.2.
Status
vulnerable
Previous vulnerability researches
myCred Elementor (CVE-2024-49702) , Oct 25, 2024
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin (CVE-2024-43214) , Aug 13, 2024
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin (CVE-2025-49857) , Jun 19, 2025
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin (CVE-2025-49872) , Jun 19, 2025
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin (CVE-2025-54668) , Aug 06, 2025
New vulnerability
Visual Website Collaboration, Feedback & Project Management – Atarim (CVE-2026-25019) , Feb 27, 2026
Visual Website Collaboration, Feedback & Project Management – Atarim (CVE-2025-67993) , Feb 27, 2026
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress (CVE-2026-24965) , Feb 27, 2026
Nelio AB Testing (CVE-2026-25378) , Feb 27, 2026
VK All in One Expansion Unit (CVE-2025-11737) , Feb 27, 2026