mediumCVE-2026-13450

GamiPress WordPress Plugin Activity Log IDOR Vulnerability

The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view private GamiPress activity log entries belonging to any user, including badge earnings, points balance changes, and event records from integrated plugins such as WooCommerce, LearnDash, and BuddyPress. This is exploitable by any unauthenticated visitor because the required 'gamipress' nonce is broadcast to all front-end users via wp_localize_script on the wp_enqueue_scripts hook, making the sole authentication barrier trivially bypassable.

ProductGamiPress
CVSS5.3
EPSS0.00408
UpdatedJuly 10, 2026

Quick answer

GamiPress should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • GamiPress up to and including 7.9.4

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

GamiPress is affected by CVE-2026-13450. Versions up to 7.9.4 allow insecure direct object reference behavior: unauthenticated attackers can view private activity log entries by abusing a user-controlled access key. Patch the plugin and audit exposed private records.

  1. Inventory WordPress sites using GamiPress.
  2. Update GamiPress beyond 7.9.4 when a fixed release is available.
  3. Disable or restrict the affected front-end/API feature until patched.
  4. Review public nonces and endpoints that expose object IDs or access keys.
  5. Audit activity logs and sensitive records for enumeration or unauthorized access.
  6. Restrict low-privilege or unauthenticated access to affected plugin routes with WAF rules.
  7. Clear caches after patching to remove stale public JavaScript data.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm GamiPress is no longer version 7.9.4 or older.
  • Attempt a safe object-ID substitution test in staging and confirm unauthorized records are denied.
  • Confirm legitimate users can still access only their own permitted records.
  • Review logs for continued enumeration attempts after mitigation.
  • Run a Fixnx scan and confirm public WordPress exposure is rechecked.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-13450?

GamiPress versions listed as affected should be reviewed: GamiPress up to and including 7.9.4.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.