WordPress Plugin Vulnerabilities

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin < 2.5.1 - Cross-Site Request Forgery

Description

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.

Affects Plugins

Plugin icon
mycred
Fixed in 2.5.1

References

CVE
CVE-2023-35096

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Verified
Yes
WPVDB ID
60330867-d38e-4181-8cfb-57d8a2fe3560

Timeline

Publicly Published
2023-07-17 (about 2 years ago)
Added
2023-07-18 (about 2 years ago)
Last Updated
2023-07-18 (about 2 years ago)

Other

Published
Title
Published
2025-01-16
Title
Admin Cleanup <= 1.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-06-05
Title
Booqable Rental <= 2.4.21 - Cross-Site Request Forgery
Published
2021-07-05
Title
WPHEKA Request For Quote < 1.3 - CSRF Bypass
Published
2024-07-20
Title
Telegram Bot & Channel < 4.0.1 - Cross-Site Request Forgery
Published
2024-12-16
Title
SMS for WooCommerce < 2.8.1.1 - Cross-Site Request Forgery to Reflected Cross-Site Scripting