cleantalk
Vulnerabilities and Security Researches

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin, a5aa26f505f02974767cf314e17c52d70fe15ebb

CVE, Research URL

a5aa26f505f02974767cf314e17c52d70fe15ebb

Home page URL

Security reports for myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin

Application

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin

Published on
Jun 14, 2023
Research Description
Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program &#8211; myCred [mycred] < 2.5.1 myCred <= 2.5 - Cross-Site Request Forgery The myCred plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5. This is due to missing nonce validation on the mycred_save_license() function. This makes it possible for unauthenticated attackers to modify the plugin's membership key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 2.5.1.
Status
vulnerable
Previous vulnerability researches
myCred Elementor (CVE-2024-49702) , Oct 25, 2024
myCred &#8211; Points, Rewards, Gamification, Ranks, Badges &amp; Loyalty Plugin (CVE-2023-33999) , Jun 13, 2026
myCred &#8211; Points, Rewards, Gamification, Ranks, Badges &amp; Loyalty Plugin (CVE-2024-43214) , Aug 13, 2024
myCred &#8211; Points, Rewards, Gamification, Ranks, Badges &amp; Loyalty Plugin (CVE-2026-8607) , Jun 18, 2026
myCred &#8211; Points, Rewards, Gamification, Ranks, Badges &amp; Loyalty Plugin (CVE-2026-42676) , May 22, 2026
New vulnerability
ABC Crypto Checkout (CVE-2026-52695) , Jun 18, 2026
WordPress File Sharing Plugin (CVE-2026-10093) , Jun 18, 2026
Gallery Plugin for WordPress &#8211; Envira Photo Gallery (CVE-2026-54190) , Jun 18, 2026
WooCommerce POS (CVE-2026-52711) , Jun 18, 2026
GetGenie – Ai Content Writer with Keyword Research and Competitor Analysis (CVE-2026-54197) , Jun 18, 2026