WP-Safety
CVE-2026-40786

MyRewards <= 5.7.3 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
5.7.4
Patched in
6d
Time to patch

Description

The MyRewards plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.7.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.7.3
PublishedApril 16, 2026
Last updatedApril 21, 2026
Affected pluginwoorewards

What Changed in the Fix

Changes introduced in v5.7.4

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v5.7.3.1
Browse source Download .zip
Patched v5.7.4
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-40786 (MyRewards) ## 1. Vulnerability Summary The **MyRewards** plugin (up to 5.7.3) suffers from a **Missing Authorization** vulnerability within its administrative AJAX handling framework, `lws-adminpanel`. The plugin registers several AJAX actions via the …

Show full research plan

Exploitation Research Plan - CVE-2026-40786 (MyRewards)

1. Vulnerability Summary

The MyRewards plugin (up to 5.7.3) suffers from a Missing Authorization vulnerability within its administrative AJAX handling framework, lws-adminpanel. The plugin registers several AJAX actions via the wp_ajax_ hook, which makes them accessible to any authenticated user (including Subscribers). Specifically, the generic button trigger handler and point export actions fail to perform sufficient capability checks (e.g., current_user_can('manage_options')) before executing privileged loyalty system operations.

2. Attack Vector Analysis

  • Endpoints:
    • /wp-admin/admin-ajax.php?action=woorewards-lite-export-wr
    • /wp-admin/admin-ajax.php?action=woorewards-lite-export-points
    • /wp-admin/admin-ajax.php?action=lws_adminpanel_field_button
  • Vulnerable Action: woorewards-lite-export-wr (Exporting loyalty pool data).
  • Required Parameter: woorewards-lite_from_pool (The ID or slug of the loyalty pool to export).
  • Authentication: Authenticated, Subscriber-level or above.
  • Preconditions: At least one Loyalty Pool must be configured in the
Research Findings
Static analysis — not yet PoC-verified

Summary

The MyRewards plugin for WordPress is vulnerable to unauthorized access and action execution due to missing capability and nonce checks in its internal administration framework (lws-adminpanel). Authenticated attackers, including those with subscriber-level permissions, can trigger administrative callbacks or export sensitive loyalty system data and points history.

Vulnerable Code

// assets/lws-adminpanel/include/internal/pages.php
// In the constructor, the plugin registers a generic AJAX action for buttons
if( $this->doingAjax )
{
    add_action('wp_ajax_lws_adminpanel_field_button', array($this, 'ajaxButton'));
}

---

// assets/lws-adminpanel/include/internal/pages.php (~line 481 in vulnerable version)
// Inside the ajaxButton handler, it originally lacks nonce and capability checks before triggering callbacks
$response = $this->trigAjaxButton($this->pages, $button, $data);

---

// include/pointsflow/action.php
// These actions lacked nonce verification, allowing unauthorized or cross-site triggered exports
function exportWR()
{
    if( !\current_user_can('manage_options') )
        \wp_die('forbidden', 403);
    // ... export logic ...
}

function exportPoints()
{
    if( !\current_user_can('manage_options') )
        \wp_die('forbidden', 403);
    // ... export logic ...
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/woorewards/5.7.3.1/assets/lws-adminpanel/include/internal/pages.php /home/deploy/wp-safety.org/data/plugin-versions/woorewards/5.7.4/assets/lws-adminpanel/include/internal/pages.php
--- /home/deploy/wp-safety.org/data/plugin-versions/woorewards/5.7.3.1/assets/lws-adminpanel/include/internal/pages.php	2026-02-17 11:50:30.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/woorewards/5.7.4/assets/lws-adminpanel/include/internal/pages.php	2026-03-30 14:26:20.000000000 +0000
@@ -481,6 +481,11 @@
 			if( $data === null )
 				exit(0);
 
+			$nonce = sanitize_text_field(wp_unslash($data['lws_adminpanel_triggerable_button_nonce'] ?? ''));
+			if (!\wp_verify_nonce($nonce, 'lws_adminpanel_triggerable_button_nonce')) {
+				\wp_send_json_error(__("Token expired. Please reload the page and retry.", 'lws-adminpanel'));
+			}
+
 			$response = $this->trigAjaxButton($this->pages, $button, $data);
 			if( !is_null($response) )
 			{
@@ -495,6 +500,11 @@
 	{
 		foreach( $tree as $node )
 		{
+			$rights = $node['rights'] ?? '';
+			if ($rights && !\current_user_can($rights)) {
+				continue;
+			}
+
 			if( is_array($node) )
 			{
 				if( isset($node['fields']) )
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/woorewards/5.7.3.1/include/pointsflow/action.php /home/deploy/wp-safety.org/data/plugin-versions/woorewards/5.7.4/include/pointsflow/action.php
--- /home/deploy/wp-safety.org/data/plugin-versions/woorewards/5.7.3.1/include/pointsflow/action.php	2026-02-17 11:50:30.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/woorewards/5.7.4/include/pointsflow/action.php	2026-03-30 14:26:20.000000000 +0000
@@ -208,6 +208,9 @@
 
 	function exportWR()
 	{
+		if (!\wp_verify_nonce(sanitize_text_field(wp_unslash($_REQUEST['lws_btn_nonce'] ?? '')), 'woorewards-lite' . '-export-wr')) {
+			\wp_die('forbidden', 403);
+		}
 		if( !\current_user_can('manage_options') )
 			\wp_die('forbidden', 403);
 
@@ -225,6 +228,9 @@
 
 	function exportPoints()
 	{
+		if (!\wp_verify_nonce(sanitize_text_field(wp_unslash($_REQUEST['lws_btn_nonce'] ?? '')), 'woorewards-lite' . '-export-points')) {
+			\wp_die('forbidden', 403);
+		}
 		if( !\current_user_can('manage_options') )
 			\wp_die('forbidden', 403);

Exploit Outline

To exploit this vulnerability, an authenticated attacker with Subscriber-level access or higher can bypass intended security restrictions by targeting the plugin's AJAX endpoints. The attacker can directly send a request to /wp-admin/admin-ajax.php using the generic 'lws_adminpanel_field_button' action or the specific 'woorewards-lite-export-wr' / 'woorewards-lite-export-points' actions. Because the vulnerable versions failed to verify nonces for these triggers and did not consistently enforce capability checks within the 'lws-adminpanel' framework during AJAX processing, the attacker can execute sensitive functions (callbacks) or export data (such as loyalty pool contents via the woorewards-lite_from_pool parameter) that should be restricted to administrators.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/9332f737-7620-412a-9338-1212c9c4ebd8?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database