GamiPress WordPress Plugin Activity Log IDOR Vulnerability
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view private GamiPress activity log entries belonging to any user, including badge earnings, points balance changes, and event records from integrated plugins such as WooCommerce, LearnDash, and BuddyPress. This is exploitable by any unauthenticated visitor because the required 'gamipress' nonce is broadcast to all front-end users via wp_localize_script on the wp_enqueue_scripts hook, making the sole authentication barrier trivially bypassable.
Quick answer
GamiPress should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- GamiPress up to and including 7.9.4
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
GamiPress is affected by CVE-2026-13450. Versions up to 7.9.4 allow insecure direct object reference behavior: unauthenticated attackers can view private activity log entries by abusing a user-controlled access key. Patch the plugin and audit exposed private records.
- Inventory WordPress sites using GamiPress.
- Update GamiPress beyond 7.9.4 when a fixed release is available.
- Disable or restrict the affected front-end/API feature until patched.
- Review public nonces and endpoints that expose object IDs or access keys.
- Audit activity logs and sensitive records for enumeration or unauthorized access.
- Restrict low-privilege or unauthenticated access to affected plugin routes with WAF rules.
- Clear caches after patching to remove stale public JavaScript data.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm GamiPress is no longer version 7.9.4 or older.
- Attempt a safe object-ID substitution test in staging and confirm unauthorized records are denied.
- Confirm legitimate users can still access only their own permitted records.
- Review logs for continued enumeration attempts after mitigation.
- Run a Fixnx scan and confirm public WordPress exposure is rechecked.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-13450?
GamiPress versions listed as affected should be reviewed: GamiPress up to and including 7.9.4.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
