WordPress Plugin Vulnerabilities

myCred < 2.7.3 - Unauthenticated PHP Object Injection

Description

The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.7.2 via deserialization of untrusted input from the 'data' parameter This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
mycred
Fixed in 2.7.3

References

CVE
CVE-2024-43354
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/44ea3322-10f6-4f52-8fa8-8cc2632b67ce

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.1 (high)

Miscellaneous

Original Researcher
LVT-tholv2k
Verified
No
WPVDB ID
236584d0-dd86-4714-bd9a-dd1d9cc58de9

Timeline

Publicly Published
2024-08-16 (about 1 year ago)
Added
2024-08-22 (about 1 year ago)
Last Updated
2024-08-22 (about 1 year ago)

Other

Published
Title
Published
2025-01-10
Title
Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups < 1.3.6 - Missing Authorization to Authenticated (Contributor+) PHP Object Injection
Published
2024-04-15
Title
Shortcodes and extra features for Phlox theme < 2.17.6 - Subscriber+ PHP Object Injection
Published
2025-12-20
Title
Live Composer – Free WordPress Website Builder < 2.0.3 - Authenticated (Contributor+) PHP Object Injection via dslc_module_posts_output Shortcode
Published
2026-05-26
Title
Hot Coffee <= 1.7 - Unauthenticated PHP Object Injection
Published
2026-05-26
Title
Reisen <= 1.4.1 - Unauthenticated PHP Object Injection