CVE-2026-42676 myCred CVE debrief

Who should care

WordPress site administrators running myCred plugin versions ≤3.0.4; security teams managing plugin inventories; developers maintaining custom integrations with myCred functionality.

Technical summary

The myCred WordPress plugin fails to properly sanitize user-supplied input before rendering it in web pages, resulting in a stored XSS condition (CWE-79). An authenticated attacker with low privileges can inject persistent JavaScript payloads that execute when other users view affected pages. The scope change (S:C) in the CVSS vector indicates the vulnerable component impacts resources beyond its own security context. Affected versions span from initial release through 3.0.4 inclusive.

Defensive priority

medium

Recommended defensive actions

• Upgrade myCred to a version newer than 3.0.4 if a patched release is available from the vendor.
• Apply principle of least privilege to WordPress user accounts, limiting access to the myCred plugin's administrative functions.
• Implement Content Security Policy (CSP) headers and output encoding defenses as compensating controls for XSS risks in WordPress environments.
• Monitor for unexpected script execution or unauthorized HTML injection within myCred-generated pages.
• Review Patchstack advisory for any vendor-supplied mitigation guidance specific to this vulnerability.

Evidence notes

The vulnerability description and affected version range (through 3.0.4) are sourced from the official CVE record and NVD entry. The CVSS vector and score are derived from NVD metadata. The vendor attribution is marked low-confidence based on reference domain candidate evidence pointing to Patchstack; the vendor field requires review.

Official resources