– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-0550:
The myCred WordPress plugin contains an authenticated stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.9.7.3. The vulnerability exists within the ‘mycred_load_coupon’ shortcode handler, allowing contributors and higher-privileged users to inject malicious scripts into pages. This vulnerability has a CVSS score of 6.4 (Medium severity).

Atomic Edge research identifies the root cause as insufficient output escaping of user-supplied shortcode attributes. The vulnerable code resides in the file mycred/addons/coupons/includes/mycred-coupon-shortcodes.php. Specifically, the function handling the ‘mycred_load_coupon’ shortcode fails to properly sanitize the ‘label’ parameter before output. The code directly concatenates user input into HTML output without escaping, as shown in the diff at lines 82-85 where the ‘label’ variable is used without security filtering.

The exploitation method requires an authenticated attacker with at least contributor-level permissions. Attackers can create or edit posts containing the ‘mycred_load_coupon’ shortcode with malicious attributes. For example, an attacker could embed a payload like [mycred_load_coupon label=”alert(document.domain)”]. When any user views the compromised page, the malicious script executes in their browser context. The attack vector leverages WordPress’s shortcode parsing system, which processes these attributes during page rendering.

The patch adds proper output escaping using wp_kses_post() for both the error message and label parameters. In the diff, line 51 shows the addition of wp_kses_post($message) to sanitize error messages. Lines 82-85 demonstrate the addition of wp_kses_post($label) before the label is wrapped in HTML tags. These changes ensure that any HTML special characters in user input are properly encoded before being output to the browser, preventing script execution while preserving intended formatting.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of any user viewing the compromised page. This can lead to session hijacking, account takeover, content defacement, or redirection to malicious sites. Since the vulnerability requires contributor-level access, attackers must first compromise a user account with appropriate permissions, but once injected, the payload affects all visitors to the page.