CVE-2025-15260

Sažetak

The MyRewards – Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 5.6.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'ajax' function. This makes it possible for authenticated attackers, with subscriber level access and above, to modify, add, or delete loyalty program earning rules, including manipulating point multipliers to arbitrary values.

Reference

https://plugins.trac.wordpress.org/browser/woorewards/tags/5.6.0/assets/lws-adminpanel/include/internal/editlistcontroler.php#L76
https://www.wordfence.com/threat-intel/vulnerabilities/id/2591f473-44ff-4319-8b17-b0f793a29d66?source=cve

CVSS

Base:	6.5
Impact:	3.6
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	HIGH	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Zadnje važnije ažuriranje

04-02-2026 - 16:33

Objavljeno

04-02-2026 - 09:15