WP-Safety

myCred GiveWP Security & Risk Analysis

wordpress.org/plugins/mycred-givewp

📢🚨 Important Notice: myCred GiveWP is now part of the myCred Toolkit and will no longer receive updates here. Only security fixes will be provided.

10 active installs v1.0.8 PHP 7.0+ WP 4.8+ Updated Apr 17, 2025
charitydonationdonationsgivewppoints-system
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is myCred GiveWP Safe to Use in 2026?

Generally Safe

Score 92/100

myCred GiveWP has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The plugin "mycred-givewp" v1.0.8 presents a mixed security posture. On the positive side, the plugin demonstrates good practices by utilizing prepared statements for all SQL queries and has no known historical vulnerabilities. This suggests a generally well-maintained codebase and a commitment to security from the developers. The absence of file operations and external HTTP requests also limits potential attack vectors.

However, significant concerns arise from the static analysis. The plugin exposes two AJAX handlers, both of which lack authentication checks. This creates a direct and unprotected attack surface, allowing any visitor to trigger these functions. Furthermore, the analysis indicates a lack of nonce and capability checks for these entry points, making them susceptible to Cross-Site Request Forgery (CSRF) and unauthorized actions. While no critical or high severity taint flows were detected, and output escaping is at a moderate 62%, the unprotected AJAX endpoints are the most pressing security issue.

In conclusion, the plugin's lack of historical vulnerabilities and use of prepared statements are strengths. However, the presence of unprotected AJAX endpoints represents a critical weakness that could be exploited. The absence of nonce and capability checks exacerbates this risk. Addressing these unprotected entry points should be the immediate priority to improve the plugin's security.

Key Concerns

  • Unprotected AJAX handlers
  • Missing nonce checks on AJAX
  • Missing capability checks on AJAX
  • Moderate output escaping (38% not escaped)
Vulnerabilities
None known

myCred GiveWP Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

myCred GiveWP Release Timeline

v1.0.8Current
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0
Code Analysis
Analyzed Apr 16, 2026

myCred GiveWP Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
11
18 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

62% escaped29 total outputs
Attack Surface
2 unprotected

myCred GiveWP Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_myCred_gwp_save_entryincludes/mycred_give_wp_multiple_hook.php:31
noprivwp_ajax_myCred_gwp_save_entryincludes/mycred_give_wp_multiple_hook.php:32
WordPress Hooks 11
actionadmin_noticesmycred-give-wp-addon.php:30
actionadmin_enqueue_scriptsmycred-give-wp-addon.php:74
actionwp_enqueue_scriptsmycred-give-wp-addon.php:75
actioninitmycred-give-wp-addon.php:76
actionmycred_load_hooksmycred-give-wp-addon.php:77
filtermycred_setup_hooksmycred-give-wp-addon.php:78
filtermycred_all_referencesmycred-give-wp-addon.php:79
filtermycred_badge_requirementmycred-give-wp-addon.php:82
filtermycred_badge_requirement_specific_templatemycred-give-wp-addon.php:83
actionadmin_headmycred-give-wp-addon.php:84
actionadmin_noticesmycred-give-wp-addon.php:87
Maintenance & Trust

myCred GiveWP Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedApr 17, 2025
PHP min version7.0
Downloads4K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

myCred GiveWP Alternatives

GiveWP Donation Widgets for Elementor

GiveWP Donation Widgets for Elementor

givewp-donation-widgets-for-elementor

A
100

A GiveWP add-on which allows you to embed any GiveWP shortcode into your Elementor-powered pages.

7K No CVEs
Give – Paystack Gateway

Give – Paystack Gateway

paystack-for-give

A
100

Fundraise with Paystack and GiveWP.

1K No CVEs
Charitable – Instamojo Payment Gateway

Charitable – Instamojo Payment Gateway

integrate-charitable-instamojo

A
92

Collect donations in INR via Debit Cards, Credit Cards, Net Banking, UPI, Wallets, EMI, NEFT, IMPS by integrating Instamojo Indian Payment Gateway.

200 No CVEs
LSX PayFast Gateway for Give

LSX PayFast Gateway for Give

lsx-give-payfast-gateway

A
85

PayFast payment gateway for Give.

200 No CVEs
Give as you Live

Give as you Live

give-as-you-live

A
92

Add a Give as you Live button or form to your website and start raising donations for your charity. The official plugin from Give as you Live.

100 No CVEs
Developer Profile

myCred GiveWP Developer Profile

Saad Iqbal

89 plugins · 1.4M total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
267 days
View full developer profile
Detection Fingerprints

How We Detect myCred GiveWP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mycred-givewp/assets/js/give_wp_script.js/wp-content/plugins/mycred-givewp/assets/css/give_wp_style.css/wp-content/plugins/mycred-givewp/assets/js/mycred_give_wp_script.js
Script Paths
wp-content/plugins/mycred-givewp/assets/js/give_wp_script.jswp-content/plugins/mycred-givewp/assets/css/give_wp_style.csswp-content/plugins/mycred-givewp/assets/js/mycred_give_wp_script.js
Version Parameters
mycred_gwp_scriptmycred_gwp_stylemycred_give_wp_ajaxurl

HTML / DOM Fingerprints

CSS Classes
mycred_give_wp_frontend_scripts_obj
JS Globals
mycred_give_wp_frontend_scripts_obj
FAQ

Frequently Asked Questions about myCred GiveWP