myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wrap' Shortcode Attribute

An attacker with contributor-level WordPress access or higher inserts a myCred shortcode and sets its `wrap` attribute to a malicious payload containing JavaScript. When any user (including administrators) views the page containing that shortcode, the injected script executes in their browser. This is a stored cross-site scripting (XSS) attack because the payload is persisted in the page content and triggers on every visit. The vulnerability is caused by insufficient input sanitization and output escaping on the `wrap` shortcode attribute [CWE-79].

The vulnerability resides in the myCred plugin's shortcode attribute handling. The `wrap` attribute of a shortcode is not properly sanitized or escaped before being output, allowing authenticated users with contributor-level access or above to inject arbitrary HTML and JavaScript. The patch file `mycred-functions.php` (around line 4399) shows the `allowed_html_tags()` method which defines permitted tags but does not cover the `wrap` attribute context.

The patch adds proper output escaping (likely using `esc_attr()` or `wp_kses()`) to the `wrap` shortcode attribute before it is rendered in the HTML. Previously the attribute value was output raw, allowing arbitrary HTML and JavaScript. By escaping the attribute value, the plugin ensures that any HTML entities or script tags are neutralized and displayed as literal text rather than executed. The `allowed_html_tags()` method already existed but was not applied to this specific attribute context.