Points Management System For Gamification Ranks Badges And Loyalty Rewards Program Mycred
Monthly
Stored XSS in the myCred WordPress plugin (versions up to and including 3.1) allows authenticated attackers holding contributor-level access or above to inject persistent JavaScript payloads via the unsanitized 'wrap' shortcode attribute in the leaderboard shortcode handler. When any user - including administrators - visits a page containing the injected shortcode, the payload executes in their browser, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis; fix is available in version 3.1.1 as confirmed by WordPress plugin trac changeset 3572451.
Stored XSS in the myCred WordPress plugin (versions up to and including 3.1) allows authenticated attackers holding contributor-level access or above to inject persistent JavaScript payloads via the unsanitized 'wrap' shortcode attribute in the leaderboard shortcode handler. When any user - including administrators - visits a page containing the injected shortcode, the payload executes in their browser, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis; fix is available in version 3.1.1 as confirmed by WordPress plugin trac changeset 3572451.