The myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin plugin for WordPress is unsafe and outdated. It has a security vulnerability that could let an attacker with contributor-level or higher permissions add malicious web scripts to pages that will execute when any user visits them. This is due to the fact that user supplied attributes are not properly checked or protected. The vulnerability is present in all versions of the plugin up to 2.6.1.