{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24581", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:07.880Z", "datePublished": "2026-01-23T14:28:59.230Z", "dateUpdated": "2026-04-28T16:14:49.797Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "points-and-rewards-for-woocommerce", "product": "Points and Rewards for WooCommerce", "vendor": "WP Swings", "versions": [{"changes": [{"at": "2.9.6", "status": "unaffected"}], "lessThanOrEqual": "2.9.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rapid0nion | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:53.355Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Points and Rewards for WooCommerce: from n/a through <= 2.9.5.</p>"}], "value": "Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Points and Rewards for WooCommerce: from n/a through <= 2.9.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:49.797Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/points-and-rewards-for-woocommerce/vulnerability/wordpress-points-and-rewards-for-woocommerce-plugin-2-9-5-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Points and Rewards for WooCommerce plugin <= 2.9.5 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T18:25:55.270423Z", "id": "CVE-2026-24581", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:30:26.214Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24581", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T18:25:55.270423Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:25:52.153Z"}}], "cna": {"title": "WordPress Points and Rewards for WooCommerce plugin <= 2.9.5 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Rapid0nion | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WP Swings", "product": "Points and Rewards for WooCommerce", "versions": [{"status": "affected", "changes": [{"at": "2.9.6", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.9.5"}], "packageName": "points-and-rewards-for-woocommerce", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:53.355Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/points-and-rewards-for-woocommerce/vulnerability/wordpress-points-and-rewards-for-woocommerce-plugin-2-9-5-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Points and Rewards for WooCommerce: from n/a through <= 2.9.5.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Points and Rewards for WooCommerce: from n/a through <= 2.9.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:06.816Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24581", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:30:26.214Z", "dateReserved": "2026-01-23T12:32:07.880Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:59.230Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Points and Rewards for WooCommerce: from n/a through <= 2.9.5."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en WP Swings Points and Rewards para WooCommerce points-and-rewards-for-woocommerce permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Points and Rewards para WooCommerce: desde n/a hasta &lt;= 2.9.5."}], "id": "CVE-2026-24581", "lastModified": "2026-04-28T15:16:16.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:16.050", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/points-and-rewards-for-woocommerce/vulnerability/wordpress-points-and-rewards-for-woocommerce-plugin-2-9-5-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:38:53.415970+00:00", "value": {"mitigation_remediation": ["Upgrade the Points and Rewards for WooCommerce plugin to version 2.9.6 or later to obtain the official fix.", "Review and tighten role\u2011based permissions for the plugin to ensure only authorized users can access sensitive administration features.", "Disable or remove the plugin if it is not required for business processes, and monitor administrative logs for any anomalous activity."], "summary": {"action": "Apply patch", "impact": "Broken Access Control allowing unauthorized operations"}, "threat_synthesis": {"affected_systems": "The problem affects the WP Swings Points and Rewards for WooCommerce plugin, in all releases up to and including version 2.9.5. Users running any older or older patch edition of the plugin are potentially exposed.", "description_and_impact": "This vulnerability is a missing authorization flaw in the WP Swings Points and Rewards for WooCommerce plugin, where improper access control checks enable a user to execute admin\u2011level functions without proper privileges. As a result, an attacker can manipulate points, rewards, or related settings beyond their allowed scope, potentially leading to financial loss or credential compromise for target accounts. The weakness is categorized as CWE\u2011862, an improper authorization weakness.", "risk_and_exploitability": "The CVSS base score of 5.4 indicates moderate severity, and the EPSS probability is less than 1%, suggesting a low but non\u2011zero likelihood of exploitation. The issue has not been reported in CISA\u2019s KEV catalog. Because the flaw involves incorrect assignment of access rights, an attacker who can exploit any authenticated user session or who can create a new user will be able to bypass restrictions. The attack could be performed remotely via legitimate plugin interfaces, requiring no special network access."}}}}, "created": "2026-01-26T11:53:35.836096+00:00", "updated": "2026-04-16T01:45:20.656600+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpswings", "wpswings$PRODUCT$points_and_rewards_for_woocommerce"]}