Attack Vectors

myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program (slug: mycred) is affected by a Medium-severity vulnerability (CVSS 4.3, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) tracked as CVE-2026-24951.

The issue enables authenticated attackers—including users with Subscriber-level access and above—to perform an unauthorized action due to a missing authorization check. In practical terms, this risk is most relevant when a site allows user registration, has many low-privilege accounts (customers, members, partners), or when accounts can be easily created through campaigns and community features.

Because the attack requires login access but no user interaction (per the CVSS vector), organizations should treat this as a realistic threat scenario for membership sites, loyalty programs, and marketing-driven WordPress properties where user accounts are part of the business model.

Security Weakness

This vulnerability is caused by a missing capability check on a function in myCred in versions up to and including 2.9.7.3. A capability check is a standard control that ensures only appropriately privileged roles can perform sensitive actions in WordPress.

When that check is missing, the plugin may allow a lower-privileged authenticated user to reach functionality intended for administrators or managers. The published summary indicates the impact is primarily on integrity (ability to change something) rather than data exposure (no confidentiality impact stated in the CVSS vector).

Remediation: Update myCred to version 2.9.7.4 or a newer patched version.

Technical or Business Impacts

Even at Medium severity, authorization gaps in a gamification/loyalty plugin can create outsized business risk because points, ranks, and rewards often tie directly to promotions, customer benefits, and brand trust.

Business impacts may include: loyalty-program manipulation (e.g., unauthorized changes that affect points or rewards), campaign integrity issues, disputed rewards/redemptions, and customer support escalations that consume marketing and operations capacity. For compliance teams, this can also raise questions about access controls and change governance for systems that influence customer entitlements.

Operational impacts may include: the need for incident review of user accounts with Subscriber-level access, verification of unexpected changes, and tighter controls around registration and role assignments—especially for sites that run promotions, sweepstakes, or community programs.

Similar Attacks

Authorization flaws and privilege-related issues are a recurring theme in plugin security. Here are a few real examples to help stakeholders contextualize the risk:

Elementor: critical vulnerability write-up (Wordfence) — an example of how widely used plugins can be targeted when access controls break down.

WooCommerce Payments vulnerability write-up (Wordfence) — illustrates how business-impacting actions can be abused when plugin authorization is insufficient.

Backdoored WordPress plugins (Wordfence) — highlights the broader ecosystem risk and why prompt patching and governance matter.