Skip to main content

Mycred CVE-2023-35096

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2023-07-17 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
CVE Published
Jul 17, 2023 - 14:15 cve.org
MEDIUM 6.5

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions.

AnalysisAI

Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions. Affected products include: Wpexperts Mycred.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

More in Mycred

View all
CVE-2021-24755 HIGH POC
8.8 Nov 29

The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL stateme

CVE-2022-1092 MEDIUM POC
4.3 Apr 25

The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export

CVE-2022-0363 MEDIUM POC
4.3 Apr 25

The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-ex

CVE-2022-0287 MEDIUM POC
4.3 Apr 25

The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX

CVE-2023-47853 MEDIUM
6.5 Nov 30

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred myCred - Po

CVE-2026-40794 MEDIUM
6.5 Jun 15

Broken access control in the myCred WordPress plugin (all versions through 3.0.3) allows authenticated users with only s

CVE-2026-42676 MEDIUM
6.5 Jun 01

Stored XSS in the myCred WordPress plugin (versions through 3.0.4) enables authenticated low-privileged attackers to per

CVE-2026-61968 MEDIUM
5.4 Jul 13

Missing Authorization in the myCred WordPress plugin (all versions through 3.1.2) allows authenticated low-privileged us

CVE-2024-10187 MEDIUM
5.4 Nov 08

The myCred - Loyalty Points and Rewards plugin for WordPress and WooCommerce - Give Points, Ranks, Badges, Cashback, Woo

CVE-2024-8658 MEDIUM
5.3 Sep 25

The myCred - Loyalty Points and Rewards plugin for WordPress and WooCommerce - Give Points, Ranks, Badges, Cashback, Woo

Share

CVE-2023-35096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy