CVE-2026-40794

Vulnerability

A broken access control vulnerability exists in the myCred WordPress plugin versions <= 3.0.3 [1]. The issue stems from missing authorization, authentication, or nonce token checks in a function, enabling unprivileged users (e.g., subscribers) to execute actions intended only for higher-privileged roles.

Exploitation

An attacker needs only a subscriber-level account on a WordPress site running the vulnerable plugin. No special network position or user interaction beyond having a low-privileged account is required. The attacker can directly exploit the missing authorization check to trigger a function that performs a privileged action [1].

Impact

Successful exploitation allows an unprivileged user to execute actions typically restricted to higher-privileged roles, such as administrators. This can lead to unauthorized modification, data access, or other privilege elevation within the WordPress site. The CVSS v3 score is 6.5 (Medium), and the vulnerability is expected to be used in mass-exploit campaigns [1].

Mitigation

The vendor has released version 3.0.4 which fixes this vulnerability [1]. Users should update to version 3.0.4 or later immediately. For those unable to update immediately, applying a mitigation rule from Patchstack (available to their customers) can block attacks until the patch is applied [1].