Stored Cross-Site Scripting Vulnerability in myCred Plugin for WordPress and WooCommerce
CVE-2024-11201
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 6 December 2024
Badges
Summary
The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce contains a critical Stored Cross-Site Scripting (XSS) vulnerability. This issue, identified as CVE-2024-11201, arises from insufficient input sanitization and output escaping on the mycred_send shortcode, which is present in all versions up to and including 2.7.5.2. Authenticated attackers with contributor-level access or higher can exploit this flaw to inject arbitrary web scripts into pages, allowing these scripts to execute whenever a user accesses the compromised page. This vulnerability poses significant risks to both site administrators and users, potentially leading to data theft, session hijacking, or further exploitation on affected sites.
Affected Version(s)
myCred – Exclusive Platform for Loyalty Points and Rewards – Create Leaderboards, Ranks, Badges, Cashback Coupons, Referral Programs, WooCommerce & eCommerce wallet, Gamification Awards, and Achievements. * <= 2.7.5.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
Vulnerability published
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability Reserved