Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred allows Stored XSS.This issue affects myCred: from n/a through <= 2.9.4.3.
Published: 2025-08-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of user-supplied input during web page generation, enabling stored cross‑site scripting (XSS). A malicious actor can inject JavaScript that is later served to other site visitors, potentially compromising session cookies, defacing the site, or deflecting users to malicious resources. The weakness is classified as CWE‑79, indicating an input validation flaw that allows reflected and stored attacker-controlled content to be executed in the victim’s browser.

Affected Systems

The issue affects the Saad Iqbal myCred WordPress plugin for all versions up to and including 2.9.4.3. Users running any older or unpatched instance of myCred on a WordPress site are therefore vulnerable.

Risk and Exploitability

The CVSS score of 6.5 marks the flaw as moderate in severity, while an EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to inject malicious content into a field that the plugin stores and later displays; the likely attack vector is a stored XSS via user input such as comments or custom fields. If such a vector is available, an attacker could execute arbitrary code in the victim’s browser context.

Generated by OpenCVE AI on April 30, 2026 at 03:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the myCred plugin to version 2.9.4.4 or later when it becomes available.
  • If a newer version is not yet released, disable or remove any myCred features that accept unsanitized user input, such as custom fields or profile editors.
  • Apply input validation or a web application firewall to detect and block XSS payloads on stored data before rendering.

Generated by OpenCVE AI on April 30, 2026 at 03:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24724 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred allows Stored XSS. This issue affects myCred: from n/a through 2.9.4.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred allows Stored XSS. This issue affects myCred: from n/a through 2.9.4.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred allows Stored XSS.This issue affects myCred: from n/a through <= 2.9.4.3.
Title WordPress myCred Plugin plugin <= 2.9.4.3 - Cross Site Scripting (XSS) Vulnerability WordPress myCred plugin <= 2.9.4.3 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mycred
Mycred mycred
Wordpress
Wordpress wordpress
Vendors & Products Mycred
Mycred mycred
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred allows Stored XSS. This issue affects myCred: from n/a through 2.9.4.3.
Title WordPress myCred Plugin plugin <= 2.9.4.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Mycred Mycred
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:34.156Z

Reserved: 2025-07-28T10:55:38.571Z

Link: CVE-2025-54668

cve-icon Vulnrichment

Updated: 2025-08-14T14:17:40.861Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:44.917

Modified: 2026-04-23T15:32:47.323

Link: CVE-2025-54668

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:45:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')