VYPR
← All advisories
Medium severity6.5NVD Advisory· Published Jun 1, 2026· Updated Jun 1, 2026

CVE-2026-42676

CVE-2026-42676

Description

A stored cross-site scripting (XSS) vulnerability in the myCred WordPress plugin versions up to 3.0.4 allows attackers to inject malicious scripts into web pages.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored cross-site scripting (XSS) vulnerability in the myCred WordPress plugin versions up to 3.0.4 allows attackers to inject malicious scripts into web pages.

Vulnerability

The myCred plugin for WordPress is susceptible to a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw affects all versions of the plugin from n/a through 3.0.4 [2].

Exploitation

Successful exploitation requires a privileged user to interact with a malicious link, visit a crafted page, or submit a form. Once the malicious payload is stored, the injected script executes in the context of the victim's browser when they visit the affected page [2].

Impact

An attacker can inject malicious scripts, including redirects, advertisements, and other HTML payloads, into the website. This can lead to unauthorized actions performed on behalf of the user or the compromise of site content viewed by guests [2].

Mitigation

Users should update the myCred plugin to version 3.0.5 or later to resolve this vulnerability [2]. If an immediate update is not possible, site administrators should consult with their hosting provider or web developer for assistance in applying security mitigations.

References
  1. Cross Site Scripting (XSS) in WordPress myCred Plugin

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.