CVE-2024-13495

Name of the Vulnerable Software and Affected Versions GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress versions up to, and including, 7.2.1

Description The issue arises due to the software allowing users to execute an action that does not properly validate a value before running do shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes via the gamipress ajax get logs() function.

Recommendations For versions up to, and including, 7.2.1, update to a version higher than 7.2.1 to resolve the issue. As a temporary workaround, consider disabling the gamipress ajax get logs() function until a patch is available. Restrict access to the do shortcode function to minimize the risk of exploitation. Avoid using the gamipress ajax get logs() function in the affected API endpoint until the issue is resolved.