The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts.
Advisories
Source ID Title
EUVD EUVD EUVD-2022-15518 The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 17 Oct 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Wpexperts
Wpexperts mycred
CPEs cpe:2.3:a:mycred:mycred:*:*:*:*:*:wordpress:*:* cpe:2.3:a:wpexperts:mycred:*:*:*:*:*:wordpress:*:*
Vendors & Products Mycred
Mycred mycred
Wpexperts
Wpexperts mycred

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2024-08-02T23:25:40.197Z

Reserved: 2022-01-25T00:00:00

Link: CVE-2022-0363

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-04-25T16:16:07.577

Modified: 2025-10-17T16:52:50.380

Link: CVE-2022-0363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.