Description
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Saad Iqbal myCred mycred allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions.This issue affects myCred: from n/a through <= 2.9.4.3.
Published: 2025-08-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Time‑of‑Check Time‑of‑Use race condition in the Saad Iqbal myCred WordPress plugin, classified as CWE‑367. It can allow an attacker to create or modify content or data inconsistently, potentially leading to unauthorized actions. The flaw carries a CVSS score of 5.3, indicating a moderate impact.

Affected Systems

All installations of the myCred WordPress plugin from the earliest releases up through version 2.9.4.3 are potentially affected. Users running any version equal to or older than 2.9.4.3 are at risk.

Risk and Exploitability

The EPSS score is <1 %, indicating a low likelihood of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a precise timing sequence, likely involving concurrent or repeated requests through the web interface, which limits practicality. No publicly available exploit has been reported, and the moderate CVSS score suggests potential compromise of data integrity but unlikely full system compromise.

Generated by OpenCVE AI on April 30, 2026 at 03:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the myCred plugin to any version above 2.9.4.3 to eliminate the race condition.
  • If an upgrade is not immediately feasible, restrict administrative access to the plugin and limit its use to trusted users only.
  • Implement additional input validation and enforce strict file permissions on the WordPress installation to reduce the chance of race condition exploitation until a patch is applied.

Generated by OpenCVE AI on April 30, 2026 at 03:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24725 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Saad Iqbal myCred allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions. This issue affects myCred: from n/a through 2.9.4.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Saad Iqbal myCred allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions. This issue affects myCred: from n/a through 2.9.4.3. Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Saad Iqbal myCred mycred allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions.This issue affects myCred: from n/a through <= 2.9.4.3.
Title WordPress myCred Plugin plugin <= 2.9.4.3 - Race Condition Vulnerability WordPress myCred plugin <= 2.9.4.3 - Race Condition Vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mycred
Mycred mycred
Wordpress
Wordpress wordpress
Vendors & Products Mycred
Mycred mycred
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Saad Iqbal myCred allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions. This issue affects myCred: from n/a through 2.9.4.3.
Title WordPress myCred Plugin plugin <= 2.9.4.3 - Race Condition Vulnerability
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mycred Mycred
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:34.224Z

Reserved: 2025-07-28T10:55:38.571Z

Link: CVE-2025-54667

cve-icon Vulnrichment

Updated: 2025-08-14T14:34:39.237Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:44.730

Modified: 2026-04-23T15:32:47.203

Link: CVE-2025-54667

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:45:06Z

Weaknesses