WordPress Plugin Vulnerabilities

myCred < 2.4 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
mycred
Fixed in 2.4

References

CVE
CVE-2021-25015
URL
https://plugins.trac.wordpress.org/changeset/2648350/mycred

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
7608829d-2820-49e2-a10e-e93eb3005f68

Timeline

Publicly Published
2021-12-27 (about 3 years ago)
Added
2021-12-27 (about 3 years ago)
Last Updated
2022-04-09 (about 3 years ago)

Other

Published
Title
Published
2025-08-01
Title
Medical Addon for Elementor < 1.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter Widget
Published
2021-04-19
Title
Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS)
Published
2024-06-04
Title
Brizy – Page Builder < 2.4.44 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes
Published
2024-07-10
Title
Booking Ultra Pro < 1.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-09
Title
Simple Spoiler < 1.5 - Contributor+ Stored XSS