PT-2026-5883 · WordPress · Myrewards – Loyalty Points/Rewards For Woocommerce
Tharadol Suksamran
·
Published
2026-02-04
·
Updated
2026-02-04
·
CVE-2025-15260
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
MyRewards – Loyalty Points and Rewards for WooCommerce plugin versions prior to 5.6.1
Description
The MyRewards – Loyalty Points and Rewards for WooCommerce plugin for WordPress does not properly verify user authorization when performing actions within the
ajax function. This allows authenticated attackers with subscriber-level access or higher to modify, add, or delete loyalty program earning rules. Specifically, attackers can manipulate point multipliers to arbitrary values.Recommendations
Update the MyRewards – Loyalty Points and Rewards for WooCommerce plugin to version 5.6.1 or later.
Fix
LPE
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Myrewards – Loyalty Points/Rewards For Woocommerce