Impact
The myCred plugin for WordPress suffers from a stored cross‑site scripting vulnerability in the 'wrap' attribute of its leaderboard shortcode. Authenticated users with contributor or higher privileges can inject arbitrary JavaScript that is stored in the database and then executed in the browsers of any visitor who views the affected page. The injected script can steal or hijack session cookies, deface the site, redirect users, or perform other client‑side malicious actions. The vulnerability does not provide direct remote code execution on the server, but it compromises the confidentiality and integrity of user sessions and can be used for phishing attacks or to spread malware to site visitors.
Affected Systems
This issue was present in all released myCred plugin versions up to and including 3.1, which is distributed as a WordPress plugin named myCred, developed by the vendor saadiqbal. Sites running any of these versions of the plugin are affected.
Risk and Exploitability
The CVSS score of 6.4 indicates a moderate severity, reflecting the fact that the flaw requires authenticated access and does not enable arbitrary code execution on the server. However, because the injected scripts can run in the browsers of all site visitors, the impact on confidentiality and integrity is potentially serious for the user base. The EPSS score is less than 1 %, suggesting that the probability of exploitation is low, and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, authenticated attackers who can add or edit leaderboard shortcodes may exploit this flaw by inserting malicious JavaScript, leading to cookie theft, defacement, or credential reuse. The low EPSS score alone should not preclude remediation, especially on high‑traffic or sensitive sites.
OpenCVE Enrichment