Security Alert Summary
The myCred plugin for WordPress contains a stored Cross-Site Scripting (XSS) vulnerability in the mycred_load_coupon shortcode. The issue allows authenticated users with contributor-level access or higher to inject scripts via shortcode attributes that will execute when a page containing the injected shortcode is viewed.
CVE Details
- CVE ID: CVE-2026-0550
- Affected plugin / component: myCred plugin for WordPress
- Affected versions: All versions up to, and including, 2.9.7.3
- Published: February 14, 2026 at 9:16:11 AM UTC
- Last Modified: February 14, 2026 at 9:16:11 AM UTC
- CVSS v3.1: Base Score 6.4, MEDIUM —
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / Privileges / User Interaction: Authentication required — authenticated attackers with contributor level access or higher; Privileges Required: Low; User Interaction: None
- Primary impact (CIA): Confidentiality: Low; Integrity: Low; Availability: None
- CWE / Weakness: CWE-79 (Cross-site Scripting)
Technical Details
The vulnerability is a stored Cross-Site Scripting issue caused by insufficient input sanitization and missing output escaping on user-supplied attributes for the plugin’s mycred_load_coupon shortcode. An authenticated user who can create or edit content that includes this shortcode can supply attribute values containing script code. Because the plugin fails to properly sanitize and escape those attributes before rendering them in a page, the injected script is stored and will execute in a visitor’s browser when they load the affected page.
The CVE description identifies the shortcode by name and indicates the weakness is related to input sanitization and output escaping. The plugin’s coupon shortcode implementation is referenced in the plugin code path shown in the provided references (file name mycred-coupon-shortcodes.php is visible in the changeset URL).
How This Could Impact Your Website
Consider a site where a site owner manages content, an internal staff editor publishes pages, and an external contractor or contributor can add coupon content using the shortcode. A contributor could add a coupon using specially crafted shortcode attributes that include script content. When an editor or site visitor views the page, the stored script could run in their browser. Practical consequences include exposure of session-level data visible to the browser context, the possibility of harvesting form values or internal-facing data shown on affected pages, and an increased risk of targeted phishing or social engineering against staff who see the injected content.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. The CVE entry does not specify a fixed version.
- Review and reduce unnecessary user roles, especially contributor-level accounts that can add or edit content.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce your attack surface.
- Monitor site activity and access logs for unusual behavior, such as unexpected post edits or new content containing script tags or unusual attributes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
