What the vulnerability does
01Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPSwings WooCommerce Ultimate Points And Rewards woocommerce-ultimate-points-and-rewards allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce Ultimate Points And Rewards: from n/a through <= 2.10.2.
Explanation of Vulnerability in Simple Terms
02Summary
WooCommerce Ultimate Points And Rewards versions up to 2.10.2 expose sensitive information to authenticated users. A logged-in user with low privileges can read data they should not have access to. The vulnerability requires a valid account but no additional user interaction. Update to a version newer than 2.10.2.
What an attacker can do
03Attacker Capabilities
Read sensitive data accessible only to higher-privilege users.
Potential impact on your site
04Site Impact
User data may be exposed to customers or low-privilege staff accounts.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege account on the site.
Key dates
06Disclosure timeline
November 13, 2025
CVE published
April 28, 2026
Record updated