Total
7 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-47853 | 1 Wpexperts | 1 Mycred | 2025-10-17 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin allows Stored XSS.This issue affects myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin: from n/a through 2.6.1. | |||||
| CVE-2024-43214 | 1 Wpexperts | 1 Mycred | 2025-10-17 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in myCred.This issue affects myCred: from n/a through 2.7.2. | |||||
| CVE-2022-0363 | 1 Wpexperts | 1 Mycred | 2025-10-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts. | |||||
| CVE-2021-24755 | 1 Wpexperts | 1 Mycred | 2025-10-17 | 6.5 MEDIUM | 8.8 HIGH |
| The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user | |||||
| CVE-2022-1092 | 1 Wpexperts | 1 Mycred | 2025-10-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog | |||||
| CVE-2023-35096 | 1 Wpexperts | 1 Mycred | 2025-10-17 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions. | |||||
| CVE-2022-0287 | 1 Wpexperts | 1 Mycred | 2025-10-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog | |||||