Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred allows Stored XSS.
This issue affects myCred: from n/a through 3.0.4.
AnalysisAI
Stored XSS in the myCred WordPress plugin (versions through 3.0.4) enables authenticated low-privileged attackers to persistently inject malicious scripts into web pages served by the application. When a victim - such as an administrator - subsequently visits an affected page, the stored payload executes within their browser session in the context of the WordPress origin, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
myCred is a WordPress plugin providing a gamification and loyalty points management system. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the stored variant: user-controlled input submitted to a myCred feature is persisted to the WordPress database without adequate sanitization or contextual output encoding, and is later rendered into HTML without escaping. The CVSS scope value of Changed (S:C) confirms that exploitation crosses trust boundaries - the injected script executes in the victim's browser environment, outside myCred's own execution context, affecting the broader WordPress session. The affected product is identified by CPE cpe:2.3:a:mycred:mycred:*:*:*:*:*:*:*:*, covering all releases through 3.0.4.
RemediationAI
The primary remediation is to update the myCred plugin to a version beyond 3.0.4 as soon as the vendor releases a patched build. The exact fix version is not specified in the currently available data - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/mycred/vulnerability/wordpress-mycred-plugin-3-0-4-cross-site-scripting-xss-vulnerability?_s_id=cve and the WordPress plugin repository for the confirmed patched release. If an update is not immediately available, restrict myCred input functionality to trusted, high-privileged users by adjusting WordPress role capabilities, which will limit the plugin's reward program accessibility for lower-privileged members as a trade-off. Deploying a WAF rule to strip or block script injection patterns (such as inline event handlers and script tags) in myCred-related form fields provides an additional compensating control, though WAF rules may block legitimate rich-text content if not carefully scoped.
The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL stateme
The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export
The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-ex
The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred myCred - Po
Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions. Rated medium severity (CVSS 6.5), this
Broken access control in the myCred WordPress plugin (all versions through 3.0.3) allows authenticated users with only s
Missing Authorization in the myCred WordPress plugin (all versions through 3.1.2) allows authenticated low-privileged us
The myCred - Loyalty Points and Rewards plugin for WordPress and WooCommerce - Give Points, Ranks, Badges, Cashback, Woo
The myCred - Loyalty Points and Rewards plugin for WordPress and WooCommerce - Give Points, Ranks, Badges, Cashback, Woo
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33687
GHSA-g9xh-85w3-3grp