{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24951", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:29.517Z", "datePublished": "2026-02-03T14:08:33.829Z", "dateUpdated": "2026-04-28T16:14:51.254Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "mycred", "product": "myCred", "vendor": "Saad Iqbal", "versions": [{"changes": [{"at": "2.9.7.4", "status": "unaffected"}], "lessThanOrEqual": "2.9.7.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "benzdeus | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:56.252Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects myCred: from n/a through <= 2.9.7.3.</p>"}], "value": "Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 2.9.7.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:51.254Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/mycred/vulnerability/wordpress-mycred-plugin-2-9-7-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress myCred plugin <= 2.9.7.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T18:35:47.995832Z", "id": "CVE-2026-24951", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:49:10.651Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24951", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:29.517Z", "datePublished": "2026-02-03T14:08:33.829Z", "dateUpdated": "2026-04-28T14:49:10.651Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "mycred", "product": "myCred", "vendor": "Saad Iqbal", "versions": [{"changes": [{"at": "2.9.7.4", "status": "unaffected"}], "lessThanOrEqual": "2.9.7.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "benzdeus | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:29.468Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects myCred: from n/a through <= 2.9.7.3.</p>"}], "value": "Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 2.9.7.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:46.855Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/mycred/vulnerability/wordpress-mycred-plugin-2-9-7-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress myCred plugin <= 2.9.7.3 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24951", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T18:35:47.995832Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T18:34:17.771Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 2.9.7.3."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n faltante en Saad Iqbal myCred mycred permite la explotaci\u00f3n de niveles de seguridad de Control de acceso configurados incorrectamente. Este problema afecta a myCred: desde n/a hasta &lt;= 2.9.7.3."}], "id": "CVE-2026-24951", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T15:16:16.020", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/mycred/vulnerability/wordpress-mycred-plugin-2-9-7-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:20:22.157352+00:00", "value": {"mitigation_remediation": ["Upgrade the myCred plugin to the most recent version that addresses the broken access control flaw.", "If an upgrade cannot be performed immediately, temporarily deactivate the plugin to remove the vulnerable code paths until a fix is available.", "After restating or upgrading the plugin, enforce strict role\u2011based access controls so that only administrators or explicitly trusted roles can invoke plugin functions, and review any custom WordPress roles that may have elevated privileges."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Access via Broken Access Control"}, "threat_synthesis": {"affected_systems": "The affected component is the myCred plugin created by Saad Iqbal for WordPress. All releases with version numbers from the earliest available iteration through 2.9.7.3 are vulnerable. No later versions were listed as patched in the provided data, so any installation of the plugin with a version equal to or below 2.9.7.3 must be considered at risk.", "description_and_impact": "The missing authorization flaw in the myCred WordPress plugin, classified as CWE\u2011862, allows an attacker to perform actions that should be restricted by plugin security settings. The vulnerability could enable the attacker to access or modify sensitive user data, manipulate account balances, or execute administrative operations that are normally protected. Because the flaw lies in the enforcement of access control, exploitation could lead to data exposure or integrity compromise at the site level.", "risk_and_exploitability": "The CVSS v3 score of 4.3 indicates a medium severity vulnerability, while the EPSS score of less than 1% implies a very low probability of exploitation in the wild at this time. The vulnerability is not currently documented in the CISA KEV catalog. Based on the information, the attack vector would likely require an authenticated user or someone able to send crafted requests to the plugin's endpoints, exploiting the broken enforcement of security levels. Starting from an authenticated session with sufficient privileges, an attacker could invoke privileged plugin functions without proper authorization checks. Given the low exploitation probability and lack of known public exploits, the risk remains moderate but should be mitigated promptly."}}}}, "created": "2026-02-04T12:14:57.821815+00:00", "updated": "2026-04-16T01:30:20.307713+00:00", "vendors": ["saadiqbal", "saadiqbal$PRODUCT$mycred", "wordpress", "wordpress$PRODUCT$wordpress"]}