Description
The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-17
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The myCred plugin for WordPress suffers from a stored cross‑site scripting vulnerability in the 'wrap' attribute of its leaderboard shortcode. Authenticated users with contributor or higher privileges can inject arbitrary JavaScript that is stored in the database and then executed in the browsers of any visitor who views the affected page. The injected script can steal or hijack session cookies, deface the site, redirect users, or perform other client‑side malicious actions. The vulnerability does not provide direct remote code execution on the server, but it compromises the confidentiality and integrity of user sessions and can be used for phishing attacks or to spread malware to site visitors.

Affected Systems

This issue was present in all released myCred plugin versions up to and including 3.1, which is distributed as a WordPress plugin named myCred, developed by the vendor saadiqbal. Sites running any of these versions of the plugin are affected.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, reflecting the fact that the flaw requires authenticated access and does not enable arbitrary code execution on the server. However, because the injected scripts can run in the browsers of all site visitors, the impact on confidentiality and integrity is potentially serious for the user base. The EPSS score is less than 1 %, suggesting that the probability of exploitation is low, and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, authenticated attackers who can add or edit leaderboard shortcodes may exploit this flaw by inserting malicious JavaScript, leading to cookie theft, defacement, or credential reuse. The low EPSS score alone should not preclude remediation, especially on high‑traffic or sensitive sites.

Generated by OpenCVE AI on June 17, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the myCred plugin to a version newer than 3.1 that fixes the 'wrap' attribute handling.
  • If an upgrade cannot be performed immediately, restrict contributor access to pages that embed the vulnerable shortcode or configure the plugin to disable the 'wrap' attribute processing.
  • Review existing leaderboard or shortcode content for potentially injected scripts, remove or sanitize them, and verify that no malicious code remains in the database.

Generated by OpenCVE AI on June 17, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Saadiqbal
Saadiqbal mycred – Points Management System For Gamification, Ranks, Badges, And Loyalty Program.
Wordpress
Wordpress wordpress
Vendors & Products Saadiqbal
Saadiqbal mycred – Points Management System For Gamification, Ranks, Badges, And Loyalty Program.
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wrap' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Saadiqbal Mycred – Points Management System For Gamification, Ranks, Badges, And Loyalty Program.
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-17T10:37:24.472Z

Reserved: 2026-05-14T15:32:53.700Z

Link: CVE-2026-8607

cve-icon Vulnrichment

Updated: 2026-06-17T10:37:20.810Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:45:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')