mycred CVE Vulnerabilities & Metrics

Focus on mycred vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About mycred Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with mycred. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total mycred CVEs: 11
Earliest CVE date: 29 Nov 2021, 09:15 UTC
Latest CVE date: 08 Nov 2024, 10:15 UTC

Latest CVE reference: CVE-2024-10187

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 3

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 50.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 50.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical mycred CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 2.46

Max CVSS: 6.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	5
4.0-6.9	6
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS mycred CVEs

These are the five CVEs with the highest CVSS scores for mycred, sorted by severity first and recency.

CVE-2021-24755 mycred Published on 29 Nov 2021, 09:15 UTC (CVSS: 6.5)
The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user
CVE-2021-25015 mycred Published on 24 Jan 2022, 08:15 UTC (CVSS: 4.3)
The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue
CVE-2017-20008 mycred Published on 29 Nov 2021, 09:15 UTC (CVSS: 4.3)
The myCred WordPress plugin before 1.7.8 does not sanitise and escape the user parameter before outputting it back in the Points Log admin dashboard, leading to a Reflected Cross-Site Scripting
CVE-2022-1092 mycred Published on 25 Apr 2022, 16:16 UTC (CVSS: 4.0)
The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog
CVE-2022-0363 mycred Published on 25 Apr 2022, 16:16 UTC (CVSS: 4.0)
The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts.

All CVEs for mycred

CVE-2024-10187 mycred vulnerability CVSS: 0 08 Nov 2024, 10:15 UTC

The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mycred_link shortcode in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2024-8658 mycred vulnerability CVSS: 0 25 Sep 2024, 06:15 UTC

The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mycred_update_database() function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to upgrade an out of date database.

CVE-2024-43214 mycred vulnerability CVSS: 0 26 Aug 2024, 21:15 UTC

Missing Authorization vulnerability in myCred.This issue affects myCred: from n/a through 2.7.2.

CVE-2023-47853 mycred vulnerability CVSS: 0 30 Nov 2023, 17:15 UTC

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin allows Stored XSS.This issue affects myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin: from n/a through 2.6.1.

CVE-2023-35096 mycred vulnerability CVSS: 0 17 Jul 2023, 14:15 UTC

Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions.

CVE-2022-1092 mycred vulnerability CVSS: 4.0 25 Apr 2022, 16:16 UTC

The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog

CVE-2022-0363 mycred vulnerability CVSS: 4.0 25 Apr 2022, 16:16 UTC

The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts.

CVE-2022-0287 mycred vulnerability CVSS: 4.0 25 Apr 2022, 16:16 UTC

The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog

CVE-2021-25015 mycred vulnerability CVSS: 4.3 24 Jan 2022, 08:15 UTC

The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue

CVE-2021-24755 mycred vulnerability CVSS: 6.5 29 Nov 2021, 09:15 UTC

The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user

CVE-2017-20008 mycred vulnerability CVSS: 4.3 29 Nov 2021, 09:15 UTC

The myCred WordPress plugin before 1.7.8 does not sanitise and escape the user parameter before outputting it back in the Points Log admin dashboard, leading to a Reflected Cross-Site Scripting