Skip to main content

Mycred

11 CVEs product

Monthly

CVE-2026-61968 MEDIUM This Month

Missing Authorization in the myCred WordPress plugin (all versions through 3.1.2) allows authenticated low-privileged users to exploit incorrectly configured access control levels, resulting in unauthorized integrity and availability impacts against the plugin's loyalty points system. The root cause (CWE-862) indicates the plugin performs sensitive operations without verifying that the requesting user holds the requisite permission level. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Mycred
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-40794 MEDIUM This Month

Broken access control in the myCred WordPress plugin (all versions through 3.0.3) allows authenticated users with only subscriber-level privileges to bypass authorization checks and perform actions reserved for higher-privileged roles, yielding high integrity impact on affected installations. The root cause is missing authorization enforcement (CWE-862) on one or more plugin endpoints, meaning the plugin executes sensitive operations - such as manipulating loyalty points or reward data - without verifying the requesting user's actual capabilities. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the low complexity and no-user-interaction requirement make exploitation straightforward for any attacker holding a valid account.

Authentication Bypass Mycred
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-42676 MEDIUM This Month

Stored XSS in the myCred WordPress plugin (versions through 3.0.4) enables authenticated low-privileged attackers to persistently inject malicious scripts into web pages served by the application. When a victim - such as an administrator - subsequently visits an affected page, the stored payload executes within their browser session in the context of the WordPress origin, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Mycred
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-10187 MEDIUM PATCH This Month

The myCred - Loyalty Points and Rewards plugin for WordPress and WooCommerce - Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Mycred
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-8658 MEDIUM PATCH This Month

The myCred - Loyalty Points and Rewards plugin for WordPress and WooCommerce - Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Mycred
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2023-47853 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred myCred - Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin allows Stored. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Mycred
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2023-35096 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mycred
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2022-1092 MEDIUM POC This Month

The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Mycred
NVD WPScan
CVSS 3.1
4.3
EPSS
0.4%
CVE-2022-0363 MEDIUM POC This Month

The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Mycred
NVD WPScan
CVSS 3.1
4.3
EPSS
0.3%
CVE-2022-0287 MEDIUM POC This Month

The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Mycred
NVD WPScan
CVSS 3.1
4.3
EPSS
0.8%
CVE-2021-24755 HIGH POC This Week

The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Mycred
NVD WPScan
CVSS 3.1
8.8
EPSS
1.3%
EPSS 0% CVSS 5.4
MEDIUM This Month

Missing Authorization in the myCred WordPress plugin (all versions through 3.1.2) allows authenticated low-privileged users to exploit incorrectly configured access control levels, resulting in unauthorized integrity and availability impacts against the plugin's loyalty points system. The root cause (CWE-862) indicates the plugin performs sensitive operations without verifying that the requesting user holds the requisite permission level. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Mycred
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in the myCred WordPress plugin (all versions through 3.0.3) allows authenticated users with only subscriber-level privileges to bypass authorization checks and perform actions reserved for higher-privileged roles, yielding high integrity impact on affected installations. The root cause is missing authorization enforcement (CWE-862) on one or more plugin endpoints, meaning the plugin executes sensitive operations - such as manipulating loyalty points or reward data - without verifying the requesting user's actual capabilities. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the low complexity and no-user-interaction requirement make exploitation straightforward for any attacker holding a valid account.

Authentication Bypass Mycred
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored XSS in the myCred WordPress plugin (versions through 3.0.4) enables authenticated low-privileged attackers to persistently inject malicious scripts into web pages served by the application. When a victim - such as an administrator - subsequently visits an affected page, the stored payload executes within their browser session in the context of the WordPress origin, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Mycred
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The myCred - Loyalty Points and Rewards plugin for WordPress and WooCommerce - Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Mycred
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The myCred - Loyalty Points and Rewards plugin for WordPress and WooCommerce - Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Mycred
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred myCred - Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin allows Stored. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Mycred
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mycred
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Mycred
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM POC This Month

The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Mycred
NVD WPScan
EPSS 1% CVSS 4.3
MEDIUM POC This Month

The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Mycred
NVD WPScan
EPSS 1% CVSS 8.8
HIGH POC This Week

The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Mycred
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy