WordPress GamiPress plugin <= 7.6.3 - Broken Access Control vulnerability

Vulnerability

The GamiPress WordPress plugin, versions through 7.6.3, contains a missing authorization vulnerability [1][2]. The plugin provides gamification features like points, achievements, and ranks. The vulnerability allows exploitation of incorrectly configured access control security levels, meaning certain functions do not properly check permissions.

Exploitation

An attacker with network access to the WordPress site can exploit this vulnerability without requiring authentication [2]. The missing authorization allows direct access to functions that should require higher privileges. No user interaction is needed. The exact sequence of steps is not detailed, but likely involves sending crafted requests to vulnerable endpoints.

Impact

Successful exploitation leads to unauthorized access to administrative functions, possibly allowing modification of user points, achievements, or ranks [2]. The overall impact is considered low severity, but it can affect the integrity of the gamification system and potentially lead to privilege escalation within the plugin's context.

Mitigation

The vulnerability is fixed in version 7.6.4 [2]. Users should update to this version or later (current version 7.8.8) [1]. The Patchstack advisory recommends immediate update as the vulnerability may be used in mass-exploit campaigns [2]. No workarounds are provided.