The myCred plugin for WordPress, a version of which is used up to and including version 2.5, has a security vulnerability. An unauthenticated attacker can potentially modify the plugin’s membership key without permission by tricking a site administrator into clicking on a malicious link. This security vulnerability is caused by the lack of nonce validation on the mycred_save_license() function.