CVE-2026-0550 identifies a stored Cross-Site Scripting vulnerability in the myCred plugin for WordPress, a popular tool for managing points, ranks, badges, and loyalty programs. The vulnerability exists in the 'mycred_load_coupon' shortcode, which fails to properly sanitize and escape user-supplied attributes before rendering them on web pages. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into the shortcode attributes. When other users visit the affected pages, the malicious scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or deliver further payloads. The vulnerability affects all versions up to and including 2.9.7.3. The CVSS 3.1 base score is 6.4, reflecting a medium severity due to network attack vector, low attack complexity, and the requirement for privileges but no user interaction. The scope is changed because the vulnerability affects resources beyond the attacker’s privileges. No public exploits have been reported yet, but the vulnerability is significant given the widespread use of WordPress and the myCred plugin in gamification and loyalty contexts. The root cause is improper neutralization of input during web page generation, classified under CWE-79. The vulnerability was published on February 14, 2026, and assigned by Wordfence. No official patch links are currently available, indicating that users must rely on interim mitigations until a fix is released.

For European organizations, this vulnerability poses a risk primarily to websites using WordPress with the myCred plugin for gamification or loyalty programs. Attackers with contributor-level access can inject persistent malicious scripts, which execute in the browsers of site visitors, potentially compromising user sessions and data confidentiality. This can lead to unauthorized actions performed under the guise of legitimate users, data theft, or reputational damage. Organizations in sectors such as e-commerce, education, and online communities that leverage gamification are particularly vulnerable. The medium severity score indicates a moderate risk, but the impact can be amplified if high-privilege users are compromised or if the site handles sensitive user data. The vulnerability does not affect availability but impacts confidentiality and integrity. Given the plugin’s popularity in Europe, especially in countries with high WordPress adoption like Germany, the UK, France, and the Netherlands, the threat is relevant. The lack of public exploits reduces immediate risk but does not eliminate the potential for targeted attacks. The requirement for authenticated access limits exposure but insider threats or compromised contributor accounts increase risk.

European organizations should prioritize the following mitigations: 1) Monitor for and apply official patches from the myCred plugin vendor as soon as they become available. 2) Restrict contributor-level permissions to trusted users only and review user roles regularly to minimize the risk of malicious input. 3) Implement strict input validation and output encoding at the application level if customizations are made. 4) Deploy Web Application Firewalls (WAFs) with rules to detect and block XSS payloads, particularly targeting the 'mycred_load_coupon' shortcode parameters. 5) Conduct regular security audits and code reviews of WordPress plugins and themes to identify similar vulnerabilities. 6) Educate content contributors about the risks of injecting untrusted content and enforce secure content management policies. 7) Use Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources. 8) Monitor logs for unusual activity related to shortcode usage or contributor actions. These steps go beyond generic advice by focusing on role-based access control, proactive monitoring, and layered defenses tailored to this vulnerability.