Key Information Summary CVE ID: CVE-2025-15260 CVSS Score: 6.5 (Medium) Vulnerability Type: Missing Authorization Published Date: February 3, 2026 Last Updated: February 4, 2026 Researcher: Tharadol Suksamran (d3kc4rt_1) Affected Software: - Type: Plugin - Slug: woorewards - Affected Version: <= 5.6.0 Vulnerability Description: - The MyRewards – Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization. This allows authenticated attackers to modify, add, or delete any loyalty program earning rules, including manipulating point multipliers to arbitrary values. References: - plugins.trac.wordpress.org Mitigation: - No known patch available. Consider uninstalling the affected software and finding a replacement. Additional Notes The vulnerability was reported via a bug bounty program. The Wordfence Intelligence Vulnerability Database API is free and can be queried via API for more detailed information.