WP-Safety

myCred Badge Plus Security & Risk Analysis

wordpress.org/plugins/mycred-badge-plus

📢 🚨 Important Notice: The myCred Badge Plus is now part of myCred Core plugin and will no longer receive updates here. Only security fixes will be pro …

10 active installs v1.0.4 PHP 7.0+ WP 6.2+ Updated Apr 17, 2025
badgesgamificationslevelspointsrewards
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is myCred Badge Plus Safe to Use in 2026?

Generally Safe

Score 92/100

myCred Badge Plus has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The "mycred-badge-plus" v1.0.4 plugin exhibits a generally strong security posture with a few notable areas for improvement. Its reliance on prepared statements for all SQL queries and a high percentage of properly escaped outputs are positive indicators. The absence of known CVEs and vulnerabilities in its history further suggests a mature development process. However, the presence of one unprotected AJAX handler presents a significant risk, as it could potentially be exploited without proper authentication. The use of the `unserialize` function, while not explicitly exploited in the analyzed flows, is inherently risky as it can lead to arbitrary object deserialization vulnerabilities if not handled with extreme care and input validation.

While the taint analysis shows no critical or high-severity unsanitized paths, the single unprotected AJAX endpoint remains a critical entry point. The plugin's attack surface is relatively small, but this one unprotected point is disproportionately concerning. The vulnerability history is clean, which is excellent, but it doesn't negate the immediate risks identified in the static analysis. In conclusion, "mycred-badge-plus" has good foundational security practices, but the unprotected AJAX handler and the potential risks associated with `unserialize` warrant immediate attention to mitigate potential security breaches.

Key Concerns

  • Unprotected AJAX handler
  • Dangerous function: unserialize used
Vulnerabilities
None known

myCred Badge Plus Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

myCred Badge Plus Release Timeline

v1.0.4Current
v1.0.3
v1.0.2
v1.0.1
v1.0.0
Code Analysis
Analyzed Apr 16, 2026

myCred Badge Plus Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
19 prepared
Unescaped Output
2
253 escaped
Nonce Checks
4
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserializeif( ! empty( unserialize( $values->meta_value )['requirements'] ) ) {includes/badge-plus-module-class.php:1045
unserializeforeach ( unserialize( $values->meta_value )['requirements'] as $key => $value ) {includes/badge-plus-module-class.php:1049

SQL Query Safety

100% prepared19 total queries

Output Escaping

99% escaped255 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
earners_page (includes/badge-plus-module-class.php:1077)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

myCred Badge Plus Attack Surface

Entry Points4
Unprotected1

AJAX Handlers 4

authwp_ajax_mycred_switch_all_to_open_badge_plusincludes/badge-plus-module-class.php:39
authwp_ajax_mycred_save_badge_requirementsincludes/badge-plus-module-class.php:573
authwp_ajax_mycred_revoke_user_badgeincludes/badge-plus-module-class.php:580
authwp_ajax_mycred_assign_user_badgeincludes/badge-plus-module-class.php:581
WordPress Hooks 19
actionmycred_deleted_log_entryincludes/badge-plus-module-class.php:83
actionmycred_bulk_delete_logincludes/badge-plus-module-class.php:84
actionadd_meta_boxesincludes/badge-plus-module-class.php:85
filtermycred_add_finishedincludes/badge-plus-module-class.php:86
actionmycred_register_assetsincludes/badge-plus-module-class.php:87
filtermycred_module_post_typesincludes/badge-plus-module-class.php:88
actionmycred_open_badges_htmlincludes/badge-plus-module-class.php:98
actionmycred_after_badge_plus_assignincludes/badge-plus-module-class.php:529
actionrest_api_initincludes/badge-plus-module-class.php:530
filterpost_row_actionsincludes/badge-plus-module-class.php:572
actionrestrict_manage_postsincludes/badge-plus-module-class.php:575
actionenqueue_block_editor_assetsincludes/badge-plus-module-class.php:576
actionmycred_user_edit_after_balancesincludes/badge-plus-module-class.php:579
actionthe_postincludes/blocks/badge-plus-blocks.php:14
actionenqueue_block_editor_assetsincludes/blocks/badge-plus-blocks.php:54
filterblock_categories_allincludes/blocks/badge-plus-blocks.php:55
filtermycred_load_modulesincludes/class-init.php:36
actionadmin_noticesincludes/class-init.php:57
actionadmin_noticesmycred-badge-plus.php:55
Maintenance & Trust

myCred Badge Plus Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedApr 17, 2025
PHP min version7.0
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

myCred Badge Plus Alternatives

Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred

Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred

mycred

A
89

A WordPress gamification plugin is also a points management system. Award ranks, loyalty points and rewards or WooCommerce rewards to your users.

10K 26 CVEs
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

gamipress

B
82

Boost your gamification marketing & reward your users with points, achievements, badges & ranks to increase your site activity & loyalty!

10K 16 CVEs
Points and Rewards for WooCommerce

Points and Rewards for WooCommerce

points-and-rewards-for-woocommerce

A
96

Points and Rewards for WooCommerce offer a reward for points to your customers for their activities & increase customer loyalty.

7K 3 CVEs
Loyalty Points Rewards and Referral for WooCommerce – WPLoyalty

Loyalty Points Rewards and Referral for WooCommerce – WPLoyalty

wployalty

A
100

Create WooCommerce points and rewards program with WPLoyalty to increase customer loyalty and boost sales. Reward customers to drive repeat purchases.

3K No CVEs
MyRewards

MyRewards

woorewards

A
96

Free top-rated points and rewards program to retain your customers, grow your sales and get new customers.

2K 3 CVEs
Developer Profile

myCred Badge Plus Developer Profile

Saad Iqbal

89 plugins · 1.4M total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
267 days
View full developer profile
Detection Fingerprints

How We Detect myCred Badge Plus

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mycred-badge-plus/assets/css/badge-plus-admin.css/wp-content/plugins/mycred-badge-plus/assets/js/admin.js/wp-content/plugins/mycred-badge-plus/assets/js/open-badge-plus.js/wp-content/plugins/mycred-badge-plus/assets/css/badge-plus-frontend.css
Script Paths
/wp-content/plugins/mycred-badge-plus/assets/js/admin.js/wp-content/plugins/mycred-badge-plus/assets/js/open-badge-plus.js
Version Parameters
mycred-badge-plus/assets/css/badge-plus-admin.css?ver=mycred-badge-plus/assets/js/admin.js?ver=mycred-badge-plus/assets/js/open-badge-plus.js?ver=mycred-badge-plus/assets/css/badge-plus-frontend.css?ver=

HTML / DOM Fingerprints

CSS Classes
badge-plus-settingsbadge-plus-field-wrapperbadge-plus-open-badge-settings
HTML Comments
<!-- Badge Plus Requirements --><!-- Badge Plus Blocks --><!-- Badge Plus Key --><!-- Badge Plus Type -->+3 more
Data Attributes
data-badge-plus-iddata-badge-plus-action
JS Globals
mycred_badge_plus_switch_all_to_open_badge_plus
Shortcode Output
[mycred_show_all_badge_plus][mycred_badge_plus][mycred_user_badges]
FAQ

Frequently Asked Questions about myCred Badge Plus