CVE-2025-12361

Name of the Vulnerable Software and Affected Versions myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program versions up to and including 2.9.7.1

Description The software does not properly verify user authorization, allowing authenticated attackers with Subscriber-level access or higher to retrieve sensitive user information. Specifically, attackers can access user IDs, display names, and email addresses of all users on the site through the get bank accounts API endpoint. Passwords are not exposed.

Recommendations Versions prior to 2.9.7.1 should be updated.