Medium severity4.3NVD Advisory· Published Feb 3, 2026· Updated Apr 15, 2026

CVE-2026-24951

Description

Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 2.9.7.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing authorization in myCred plugin (≤2.9.7.3) allows unprivileged users to exploit incorrectly configured access controls, enabling unauthorized actions.

Vulnerability

Overview

The myCred plugin for WordPress, versions 2.9.7.3 and earlier, contains a missing authorization vulnerability. The issue stems from incorrect configuration of access control security levels, which fails to properly verify user privileges before allowing certain actions [1].

Exploitation

Method

To exploit this vulnerability, an attacker needs only to be an unauthenticated or low-privileged user. The broken access control flaw occurs because the plugin does not enforce proper authorization checks in specific functions. This allows a lower-privileged user to perform actions that should require higher privileges, such as administrative operations [1].

Impact

Successful exploitation could allow an attacker to execute unauthorized administrative actions, potentially leading to data manipulation or other security compromises within affected WordPress sites. While the severity is considered medium (CVSS 4.3), the vulnerability is noted to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The issue has been addressed in version 2.9.7.4 of myCred. Users are strongly advised to update immediately. For those unable to update, consulting with hosting providers or web developers is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].

References

Broken Access Control in WordPress myCred Plugin

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Mycredinferred
Range: <=2.9.7.3
Package: https://wordpress.org/plugins/mycred
Wpexperts/Mycredllm-fuzzy
Range: <=2.9.7.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/mycred/vulnerability/wordpress-mycred-plugin-2-9-7-3-broken-access-control-vulnerabilitynvd

News mentions

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026)
Wordfence Blog · Apr 30, 2026

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000