Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred allows Stored XSS.This issue affects myCred: from n/a through <= 2.9.7.6.
Published: 2026-02-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-site Scripting
Action: Apply patch
AI Analysis

Impact

Improper neutralization of user input in the myCred WordPress plugin allows stored cross‑site scripting. Infected input is rendered unsanitized in web pages, giving an attacker the ability to inject arbitrary JavaScript that executes in the browser context of any visitor. Based on the description, it is inferred that the vulnerability is a classic input validation weakness categorized as CWE‑79, enabling client‑side code execution.

Affected Systems

The vulnerability affects all installations of the myCred plugin from version n/a through 2.9.7.6 for the Saad Iqbal myCred WordPress plugin. Any WordPress site running these versions is at risk, as the plugin’s handling of stored content that is later displayed to users creates the opportunity for exploitation.

Risk and Exploitability

The base CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability has not yet been catalogued in CISA’s KEV list. The likely attack vector is through web‑based input fields that save data for later rendering, meaning an attacker only needs access to a front‑end interface or an administrative input area that is not properly sanitized. Given the stored nature of the flaw, any user who visits the affected page will execute the injected script.

Generated by OpenCVE AI on April 16, 2026 at 06:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the myCred plugin to version 2.9.7.7 or later, which includes input sanitization fixes for the affected fields.
  • If an immediate update is not possible, remove the myCred plugin from the site and reinstall the latest version that has the XSS fix.
  • Audit all custom fields and data inputs in the current installation for proper escaping and encoding to prevent similar injection issues in the future.

Generated by OpenCVE AI on April 16, 2026 at 06:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred mycred allows Stored XSS.This issue affects myCred: from n/a through 2.9.7.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred allows Stored XSS.This issue affects myCred: from n/a through <= 2.9.7.6.
References

Tue, 24 Mar 2026 11:30:00 +0000

Type Values Removed Values Added
References

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred allows Stored XSS.This issue affects myCred: from n/a through <= 2.9.7.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred mycred allows Stored XSS.This issue affects myCred: from n/a through 2.9.7.6.
References

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Saadiqbal
Saadiqbal mycred
Wordpress
Wordpress wordpress
Vendors & Products Saadiqbal
Saadiqbal mycred
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred allows Stored XSS.This issue affects myCred: from n/a through <= 2.9.7.6.
Title WordPress myCred plugin <= 2.9.7.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Saadiqbal Mycred
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:15:03.440Z

Reserved: 2026-02-19T09:52:39.682Z

Link: CVE-2026-27440

cve-icon Vulnrichment

Updated: 2026-02-20T16:47:47.216Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T21:18:33.367

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:30:06Z

Weaknesses