CVE-2026-0550 is a stored Cross-Site Scripting (XSS) vulnerability identified in the myCred plugin for WordPress, a popular points management system used for gamification, ranks, badges, and loyalty programs. The flaw exists in the 'mycred_load_coupon' shortcode, which fails to properly sanitize and escape user-supplied attributes before rendering them on web pages. This improper neutralization of input (CWE-79) allows authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes whenever any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 2.9.7.3. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required at the contributor level. The scope is changed (S:C) because the vulnerability can affect resources beyond the attacker’s privileges. No user interaction is needed for exploitation. Although no known exploits are currently in the wild, the vulnerability poses a significant risk to WordPress sites using myCred, especially those allowing contributor-level users to add content. The plugin’s widespread use in loyalty and gamification contexts increases the potential attack surface. The vulnerability was publicly disclosed on February 14, 2026, and no official patches or updates have been linked yet.

The impact of CVE-2026-0550 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the vulnerable site, enabling session hijacking, theft of sensitive information such as cookies or tokens, and unauthorized actions performed with the victim’s privileges. This can lead to account takeover, privilege escalation, or manipulation of loyalty points and rewards systems, undermining trust and potentially causing financial or reputational damage. Because the vulnerability requires contributor-level access, attackers must first compromise or register accounts with such privileges, which may be feasible on sites with weak user management or open registration. The scope change means that the attacker can affect users beyond their own privileges, increasing the risk. The lack of user interaction requirement facilitates automated exploitation once access is obtained. Organizations relying on myCred for customer engagement or internal gamification are at risk of data breaches and operational disruption. The medium severity score reflects a moderate but tangible threat that should be addressed promptly to avoid exploitation.

To mitigate CVE-2026-0550, organizations should first check for and apply any official patches or updates released by the myCred plugin developers once available. In the absence of a patch, administrators should consider disabling the 'mycred_load_coupon' shortcode or restricting its usage to trusted users only. Implement strict user role management to limit contributor-level access and monitor for suspicious account creation or privilege escalation. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script payloads targeting the vulnerable shortcode parameters. Conduct regular security audits and code reviews of custom shortcodes or plugins to ensure proper input validation and output encoding. Additionally, educate content contributors about safe content practices and monitor site pages for unexpected script injections. For high-risk environments, consider temporarily removing or replacing the myCred plugin with alternative solutions until a secure version is available. Enable Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. Finally, maintain comprehensive backups and incident response plans to quickly recover from potential compromises.