cleantalk
Vulnerabilities and Security Researches

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin, CVE-2026-8607

CVE, Research URL

CVE-2026-8607

Home page URL

Security reports for myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin

Application

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin

Published on
Jun 17, 2026
Research Description
The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 3.1.1.
Status
vulnerable
Previous vulnerability researches
CRM and Lead Management by vcita (CVE-2025-5240) , Jul 23, 2025
CRM and Lead Management by vcita (CVE-2024-13702) , Mar 27, 2025
CRM and Lead Management by vcita (CVE-2024-13703) , Mar 14, 2025
CRM and Lead Management by vcita (CVE-2023-2405) , Jun 07, 2024
CRM and Lead Management by vcita (CVE-2023-2404) , Jun 07, 2024
New vulnerability
SEO Plugin by Squirrly SEO (CVE-2026-52714) , Jun 18, 2026
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin (CVE-2026-8607) , Jun 18, 2026
Faust.js (CVE-2026-49062) , Jun 18, 2026
Conekta Payment Gateway (CVE-2026-49066) , Jun 18, 2026
Knit Pay – Instamojo, Razorpay, Cashfree, Stripe, Easebuzz, UPI QR, CCAvenue, GoUrl (CVE-2026-49070) , Jun 18, 2026