CVE-2026-24581

Vulnerability

Overview The vulnerability is a missing authorization (Broken Access Control) issue in the Points and Rewards for WooCommerce plugin by WP Swings. Versions from n/a through 2.9.5 lack proper access control checks, allowing exploitation of incorrectly configured security levels [1].

Exploitation

An attacker with low privileges (e.g., a subscriber or customer) can exploit this missing authorization to perform actions normally restricted to higher-privileged users. No authentication bypass is required; the flaw lies in functions that do not verify the user's capabilities before execution [1].

Impact

Successful exploitation could allow privilege escalation or unauthorized modification of reward points, resulting in potential misuse of the store's reward system. The vendor has assigned a CVSS v3 score of 5.4 (Medium), reflecting moderate impact on confidentiality, integrity, and availability [1].

Mitigation

The vulnerability is patched in version 2.9.6. Users are strongly advised to update immediately. If unable to update, consider contacting your hosting provider or web developer for assistance. The Patchstack advisory notes that this issue is part of broader mass-exploit campaigns but has a low likelihood of individual exploitation [1].