Skip to main content

Points Management System For Gamification Ranks Badges And Loyalty Rewards Program Mycred

1 CVEs product

Monthly

CVE-2026-8607 MEDIUM This Month

Stored XSS in the myCred WordPress plugin (versions up to and including 3.1) allows authenticated attackers holding contributor-level access or above to inject persistent JavaScript payloads via the unsanitized 'wrap' shortcode attribute in the leaderboard shortcode handler. When any user - including administrators - visits a page containing the injected shortcode, the payload executes in their browser, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis; fix is available in version 3.1.1 as confirmed by WordPress plugin trac changeset 3572451.

WordPress XSS Points Management System For Gamification Ranks Badges And Loyalty Rewards Program Mycred
NVD VulDB
CVSS 3.1
6.4
EPSS
0.3%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the myCred WordPress plugin (versions up to and including 3.1) allows authenticated attackers holding contributor-level access or above to inject persistent JavaScript payloads via the unsanitized 'wrap' shortcode attribute in the leaderboard shortcode handler. When any user - including administrators - visits a page containing the injected shortcode, the payload executes in their browser, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis; fix is available in version 3.1.1 as confirmed by WordPress plugin trac changeset 3572451.

WordPress XSS Points Management System For Gamification Ranks Badges And Loyalty Rewards Program Mycred
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy