WWordPress Vulnerability Database

Hong Kong Security Advisory myCred XSS(CVE20260550)

Cross Site Scripting (XSS) in WordPress myCred Plugin
0
Shares
0
0
0
0
Plugin Name myCred
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-0550
Urgency Low
CVE Publish Date 2026-02-15
Source URL CVE-2026-0550

Urgent: myCred Stored XSS (CVE-2026-0550) — What WordPress Site Owners Must Do Now

Date: 13 Feb 2026
Author: Hong Kong Security Expert

Summary

A stored Cross-Site Scripting (XSS) vulnerability affecting the myCred WordPress plugin (versions ≤ 2.9.7.3) was disclosed and assigned CVE-2026-0550. An authenticated user with Contributor (or higher) privileges can inject a persistent malicious payload that is later rendered on the front end via the mycred_load_coupon shortcode. The issue is fixed in myCred 2.9.7.4. This advisory explains the technical risk, likely exploitation paths, detection strategies, and step-by-step remediation — including immediate hardening and virtual patching options.

If myCred is installed on any of your WordPress sites, read this fully and act now.

Quick facts

  • Affected plugin: myCred (WordPress)
  • Vulnerable versions: ≤ 2.9.7.3
  • Fixed version: 2.9.7.4
  • Vulnerability type: Stored Cross-Site Scripting (XSS)
  • Required privilege to exploit: Contributor (authenticated)
  • CVE: CVE-2026-0550
  • Estimated severity: Medium / CVSS 6.5 (authenticated user required, but persistent XSS)
  • Exploitation impact: Attacker-supplied scripts executed in visitors’ browsers — possible account takeover, content injection, phishing, redirects, and client‑side exploits
  • Immediate mitigation: Update the plugin; if immediate update is not possible, apply virtual patching via WAF rules and restrict contributor capabilities

What happened — plain English

myCred exposes a shortcode (mycred_load_coupon) that displays coupon content. In vulnerable versions, data that Contributors can create is not properly sanitized/escaped before being stored or output. A malicious Contributor could add markup or JavaScript into coupon fields that the shortcode later outputs unchanged into pages. Because the payload is stored in the database and rendered when visitors view the shortcode output, this is stored XSS — a persistent client-side vulnerability.

Stored XSS is particularly dangerous because the malicious content persists and can affect many visitors over time, including administrators and editors who view the affected page in the dashboard or front end.

Why this matters to you

  1. Contributors are common: Many sites allow outside contributors, guest authors, affiliates, or low‑privileged users to create content. If you permit that role, your risk increases.
  2. Stored XSS can affect trusted users: Admins and editors viewing the page could have cookies or session tokens exposed if an attacker crafts an exfiltration payload.
  3. SEO and reputation damage: Malicious scripts can inject SEO spam, redirect visitors to malware/phishing pages, or display unwanted ads.
  4. Lateral escalation: Attackers can use XSS to escalate privileges through session theft, CSRF, or social engineering of privileged users.

Exploitation scenario — what an attacker would do

  • Attacker registers or uses an existing Contributor account.
  • They create or edit a coupon and embed a payload (e.g.,