Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 26 known issues Latest disclosed Apr 24, 2026

Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred Vulnerabilities

Q: How many Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred vulnerabilities have patch guidance?

26 of 26 tracked Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred records include a published patch path.

Review known vulnerability records for the WordPress plugin Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred (`mycred`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-40794, CVE-2026-0550 and CVE-2026-24951, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 30, 2026

Priority CVE Quick Links

Fast paths into Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2021-24755 High 2.3

CVE-2021-24755 Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred SQL Injection

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin <= 2.2 - Subscriber+ SQL Injection

CVE-2024-43354 High 2.7.3

CVE-2024-43354 Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred Vulnerability

myCred <= 2.7.2 - Unauthenticated PHP Object Injection

CVE-2022-0363 Medium 2.4.4

CVE-2022-0363 Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred Cross-Site Request Forgery

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin <= 2.4.3 - Missing Authorization

CVE-2026-0550 Medium 2.9.7.4

CVE-2026-0550 Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred Stored Cross-Site Scripting

myCred <= 2.9.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'mycred_load_coupon' Shortcode

CVE-2026-27440 Medium 3.0

CVE-2026-27440 Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred Stored Cross-Site Scripting

myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program. <= 2.9.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2025-54668 Medium 2.9.4.4

CVE-2025-54668 Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred Stored Cross-Site Scripting

myCred <= 2.9.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-11201 Medium 2.7.6

CVE-2024-11201 Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred Stored Cross-Site Scripting

myCred – Loyalty Points and Rewards plugin <= 2.7.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_send Shortcode

CVE-2024-10187 Medium 2.7.5

CVE-2024-10187 Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred Stored Cross-Site Scripting

myCred <= 2.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_link Shortcode

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

26 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 2 high severity findings.

Recent CVEs

CVE-2026-40794, CVE-2026-0550 and CVE-2026-24951

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-40794 Medium Patch path listed

CVE-2026-40794: Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred <= 3.0.3 - Missing Authorization

The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to unauthorized access due to a missing capability check...

Published

Apr 24, 2026

Patch Status

3.0.4

Open CVE-2026-40794 Report

CVE-2026-0550 Medium Patch path listed

CVE-2026-0550: myCred <= 2.9.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'mycred_load_coupon' Shortcode

The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mycred_load_coupon' shortcode in all versions up to, and including, 2.9.7.3 due to insufficient...

Published

Feb 13, 2026

Patch Status

2.9.7.4

Open CVE-2026-0550 Report

CVE-2026-24951 Medium Patch path listed

CVE-2026-24951: myCred <= 2.9.7.3 - Missing Authorization

The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program. plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a f...

Published

Feb 06, 2026

Patch Status

2.9.7.4

Open CVE-2026-24951 Report

Known Vulnerabilities

Reports for Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-40794

CVE-2026-40794: Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred <= 3.0.3 - Missing Authorization

The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.0.3. This makes it possible for authent...

Published

Apr 24, 2026

Patched Release

3.0.4

Affected Versions

Versions up to 3.0.3

Next Step

Update to 3.0.4 or newer if supported.

Open CVE-2026-40794 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-0550

CVE-2026-0550: myCred <= 2.9.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'mycred_load_coupon' Shortcode

The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mycred_load_coupon' shortcode in all versions up to, and including, 2.9.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

Published

Feb 13, 2026

Patched Release

2.9.7.4

Affected Versions

Versions up to 2.9.7.3

Next Step

Update to 2.9.7.4 or newer if supported.

Open CVE-2026-0550 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-24951

CVE-2026-24951: myCred <= 2.9.7.3 - Missing Authorization

The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program. plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.9.7.3. This makes it possible for authenti...

Published

Feb 06, 2026

Patched Release

2.9.7.4

Affected Versions

Versions up to 2.9.7.3

Next Step

Update to 2.9.7.4 or newer if supported.

Open CVE-2026-24951 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-12361

CVE-2025-12361: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program <= 2.9.7.1 - Missing Authorization to Sensitive Information Exposure

The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7.1. This is due to the plugin not properly verifying that a user is authorized to perform...

Published

Dec 18, 2025

Patched Release

2.9.7.2

Affected Versions

Versions up to 2.9.7.1

Next Step

Update to 2.9.7.2 or newer if supported.

Open CVE-2025-12361 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-12362

CVE-2025-12362: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program <= 2.9.7 - Missing Authorization to Unauthenticated Withdrawal Request Approval

The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7. This is due to the plugin not properly verifying that a user is authorized to perform an...

Published

Dec 12, 2025

Patched Release

2.9.7.1

Affected Versions

Versions up to 2.9.7

Next Step

Update to 2.9.7.1 or newer if supported.

Open CVE-2025-12362 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-27440

CVE-2026-27440: myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program. <= 2.9.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program. plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.9.7.6 due to insufficient input sanitization and output escaping. This makes i...

Published

Nov 08, 2025

Patched Release

3.0

Affected Versions

Versions up to 2.9.7.6

Next Step

Update to 3.0 or newer if supported.

Open CVE-2026-27440 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-54667

CVE-2025-54667: myCred <= 2.9.4.3 - Authenticated (Subscriber+) Race Condition

The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program. plugin for WordPress is vulnerable to a race condition in all versions up to, and including, 2.9.4.3. This makes it possible for authenticated attackers, with Subscriber-level acce...

Published

Jul 30, 2025

Patched Release

2.9.4.4

Affected Versions

Versions up to 2.9.4.3

Next Step

Update to 2.9.4.4 or newer if supported.

Open CVE-2025-54667 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-54668

CVE-2025-54668: myCred <= 2.9.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.9.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to injec...

Published

Jul 30, 2025

Patched Release

2.9.4.4

Affected Versions

Versions up to 2.9.4.3

Next Step

Update to 2.9.4.4 or newer if supported.

Open CVE-2025-54668 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-49857

CVE-2025-49857: myCred <= 2.9.4.2 - Missing Authorization

The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program. plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.9.4.2. This makes it possible for...

Published

Jun 12, 2025

Patched Release

2.9.4.3

Affected Versions

Versions up to 2.9.4.2

Next Step

Update to 2.9.4.3 or newer if supported.

Open CVE-2025-49857 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-49872

CVE-2025-49872: myCred <= 2.9.4.2 - Missing Authorization

Published

Jun 12, 2025

Patched Release

2.9.4.3

Affected Versions

Versions up to 2.9.4.2

Next Step

Update to 2.9.4.3 or newer if supported.

Open CVE-2025-49872 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-11201

CVE-2024-11201: myCred – Loyalty Points and Rewards plugin <= 2.7.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_send Shortcode

The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mycred_send shortc...

Published

Dec 05, 2024

Patched Release

2.7.6

Affected Versions

Versions up to 2.7.5.2

Next Step

Update to 2.7.6 or newer if supported.

Open CVE-2024-11201 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-10187

CVE-2024-10187: myCred <= 2.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_link Shortcode

Published

Nov 07, 2024

Patched Release

2.7.5

Affected Versions

Versions up to 2.7.4

Next Step

Update to 2.7.5 or newer if supported.

Open CVE-2024-10187 Report Open CVE Reference