Mycred
CVE-2022-0363
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts.
AnalysisAI
The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts. Affected products include: Wpexperts Mycred. Version information: before 2.4.3.1.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.
The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL stateme
The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export
The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred myCred - Po
Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions. Rated medium severity (CVSS 6.5), this
Broken access control in the myCred WordPress plugin (all versions through 3.0.3) allows authenticated users with only s
Stored XSS in the myCred WordPress plugin (versions through 3.0.4) enables authenticated low-privileged attackers to per
Missing Authorization in the myCred WordPress plugin (all versions through 3.1.2) allows authenticated low-privileged us
The myCred - Loyalty Points and Rewards plugin for WordPress and WooCommerce - Give Points, Ranks, Badges, Cashback, Woo
The myCred - Loyalty Points and Rewards plugin for WordPress and WooCommerce - Give Points, Ranks, Badges, Cashback, Woo
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today