Mycred
by WordPress
Source repositories
CVEs (26)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-43354 | Cri | 0.64 | 9.8 | 0.01 | Aug 19, 2024 | Deserialization of Untrusted Data vulnerability in Saad Iqbal myCred mycred.This issue affects myCred: from n/a through <= 2.7.2. | ||
| CVE-2021-24755 | Hig | 0.57 | 8.8 | 0.01 | Nov 29, 2021 | The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user | ||
| CVE-2026-40794 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in myCred <= 3.0.3 versions. | ||
| CVE-2026-42676 | Med | 0.42 | 6.5 | 0.00 | Jun 1, 2026 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred allows Stored XSS. This issue affects myCred: from n/a through 3.0.4. | ||
| CVE-2025-54668 | Med | 0.42 | 6.5 | 0.00 | Aug 14, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred allows Stored XSS.This issue affects myCred: from n/a through <= 2.9.4.3. | ||
| CVE-2024-43353 | Med | 0.42 | 6.5 | 0.00 | Aug 18, 2024 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred.This issue affects myCred: from n/a through <= 2.7.2. | ||
| CVE-2024-32711 | Med | 0.42 | 6.5 | 0.00 | Apr 24, 2024 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred.This issue affects myCred: from n/a through <= 2.6.3. | ||
| CVE-2023-47853 | Med | 0.42 | 6.5 | 0.00 | Nov 30, 2023 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin allows Stored XSS.This issue affects myCred – Points, Rewards, Gamification, Ranks, Badges &… | ||
| CVE-2023-35096 | Med | 0.42 | 6.5 | 0.00 | Jul 17, 2023 | Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions. | ||
| CVE-2026-0550 | Med | 0.35 | 6.4 | 0.00 | Feb 14, 2026 | The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mycred_load_coupon' shortcode in all versions up to, and including, 2.9.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it… | ||
| CVE-2024-11201 | Med | 0.35 | 6.4 | 0.01 | Dec 6, 2024 | The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mycred_send… | ||
| CVE-2025-54667 | Med | 0.34 | 5.3 | 0.00 | Aug 14, 2025 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Saad Iqbal myCred mycred allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions.This issue affects myCred: from n/a through <= 2.9.4.3. | ||
| CVE-2025-49872 | Med | 0.34 | 5.3 | 0.00 | Jun 17, 2025 | Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects myCred: from n/a through <= 2.9.4.2. | ||
| CVE-2024-43214 | Med | 0.34 | 5.3 | 0.00 | Aug 26, 2024 | Missing Authorization vulnerability in Saad Iqbal myCred mycred.This issue affects myCred: from n/a through <= 2.7.2. | ||
| CVE-2021-25015 | Med | 0.33 | 6.1 | 0.01 | Jan 24, 2022 | The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue | ||
| CVE-2017-20008 | Med | 0.33 | 6.1 | 0.01 | Nov 29, 2021 | The myCred WordPress plugin before 1.7.8 does not sanitise and escape the user parameter before outputting it back in the Points Log admin dashboard, leading to a Reflected Cross-Site Scripting | ||
| CVE-2026-24951 | Med | 0.28 | 4.3 | 0.00 | Feb 3, 2026 | Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 2.9.7.3. | ||
| CVE-2025-49857 | Med | 0.28 | 4.3 | 0.00 | Jun 17, 2025 | Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 2.9.4.2. | ||
| CVE-2022-1092 | Med | 0.28 | 4.3 | 0.00 | Apr 25, 2022 | The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog | ||
| CVE-2022-0363 | Med | 0.28 | 4.3 | 0.00 | Apr 25, 2022 | The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating… |
- risk 0.64cvss 9.8epss 0.01
Deserialization of Untrusted Data vulnerability in Saad Iqbal myCred mycred.This issue affects myCred: from n/a through <= 2.7.2.
- risk 0.57cvss 8.8epss 0.01
The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Access Control in myCred <= 3.0.3 versions.
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred allows Stored XSS. This issue affects myCred: from n/a through 3.0.4.
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred allows Stored XSS.This issue affects myCred: from n/a through <= 2.9.4.3.
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred.This issue affects myCred: from n/a through <= 2.7.2.
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred.This issue affects myCred: from n/a through <= 2.6.3.
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin allows Stored XSS.This issue affects myCred – Points, Rewards, Gamification, Ranks, Badges &…
- risk 0.42cvss 6.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions.
- risk 0.35cvss 6.4epss 0.00
The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mycred_load_coupon' shortcode in all versions up to, and including, 2.9.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…
- risk 0.35cvss 6.4epss 0.01
The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mycred_send…
- risk 0.34cvss 5.3epss 0.00
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Saad Iqbal myCred mycred allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions.This issue affects myCred: from n/a through <= 2.9.4.3.
- risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects myCred: from n/a through <= 2.9.4.2.
- risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in Saad Iqbal myCred mycred.This issue affects myCred: from n/a through <= 2.7.2.
- risk 0.33cvss 6.1epss 0.01
The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue
- risk 0.33cvss 6.1epss 0.01
The myCred WordPress plugin before 1.7.8 does not sanitise and escape the user parameter before outputting it back in the Points Log admin dashboard, leading to a Reflected Cross-Site Scripting
- risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 2.9.7.3.
- risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 2.9.4.2.
- risk 0.28cvss 4.3epss 0.00
The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog
- risk 0.28cvss 4.3epss 0.00
The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating…
Page 1 of 2