CVE-2026-10628 in Points and Rewards for WooCommerce Plugininfo

Summary

by MITRE • 07/11/2026

The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to convert and drain any user's reward points into wallet balance, exfiltrate all users' emails and point balances to an attacker-controlled Klaviyo account, overwrite the site's Klaviyo public API key, block or unblock arbitrary users from the points system, and modify campaign banner and heading settings. The nonce used for authentication of these requests (wps-wpr-verify-nonce) is injected into every public-facing page via wp_localize_script(), and the wps_wpr_generate_custom_wallet handler is additionally registered on the wp_ajax_nopriv_ hook, meaning unauthenticated visitors can also obtain a valid nonce and exploit that specific action.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/11/2026

The vulnerability in the Points and Rewards for WooCommerce plugin represents a critical authorization bypass flaw that undermines the security model of WordPress sites using this e-commerce extension. This weakness affects all versions up to and including 2.10.0, creating a persistent risk for online stores that rely on user points systems and reward mechanisms. The core issue stems from inadequate access control verification within the plugin's code implementation, allowing malicious actors with minimal privileges to escalate their capabilities significantly.

The technical flaw manifests through improper authentication checks that fail to validate user permissions before executing sensitive operations. Specifically, the plugin registers the wps_wpr_generate_custom_wallet handler on the wp_ajax_nopriv_ hook, which means that any visitor can access this endpoint without proper authentication. Additionally, the wps-wpr-verify-nonce is improperly exposed through wp_localize_script() on all public pages, making it trivial for attackers to obtain valid nonces required for exploitation. This dual vulnerability creates a perfect storm where both authenticated users with subscriber-level access and unauthenticated visitors can leverage the same nonce to perform privileged actions.

The operational impact of this vulnerability extends far beyond simple privilege escalation, creating multiple attack vectors that can compromise user data and system integrity. Attackers can drain reward points from any user account and transfer them to their own wallet balance, effectively stealing value from legitimate customers. The exposure of all users' email addresses and point balances creates a massive data exfiltration opportunity that violates privacy regulations and customer trust. Furthermore, the ability to overwrite the site's Klaviyo public API key allows attackers to redirect marketing data to their own accounts, potentially causing revenue loss and disrupting legitimate marketing campaigns.

The vulnerability enables additional malicious activities such as blocking or unblocking arbitrary users from the points system, which can be used for user harassment or competitive disruption. Modification of campaign banner and heading settings provides attackers with opportunities to manipulate marketing communications and potentially conduct social engineering attacks against customers. This comprehensive attack surface aligns with common attack patterns documented in the ATT&CK framework under credential access and privilege escalation techniques, where attackers leverage application-level weaknesses to gain unauthorized system control.

Security mitigations for this vulnerability should focus on implementing proper authentication checks at all entry points, particularly those handling user-specific data modifications. The plugin must remove the wp_ajax_nopriv_ registration for sensitive handlers and ensure that nonces are properly validated against authenticated user sessions rather than being exposed globally. Organizations should immediately update to patched versions of the plugin, implement network monitoring for suspicious API activity, and conduct thorough security audits of their WordPress installations. The vulnerability also highlights the importance of following secure coding practices as outlined in CWE categories related to improper authentication and insufficient access control mechanisms that directly contribute to such authorization bypass scenarios.

Responsible

Wordfence

Reservation

06/02/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!