PT-2026-57419 · WordPress · Corvuspay Woocommerce Payment Gateway

Valatty

·

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-6939

CVSS v3.1

7.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions CorvusPay WooCommerce Payment Gateway versions prior to 2.7.5
Description Insufficient input sanitization and output escaping allow unauthenticated attackers to perform Stored Cross-Site Scripting. An attacker can inject arbitrary web scripts into pages that execute when a user accesses them. This is possible because the unauthenticated REST endpoint "POST /wp-json/corvuspay/success/" has its permission callback set to return true. While a signature validation step is present, it only logs the result without stopping execution, allowing a malicious approval code to be stored in the database regardless of the signature provided.
Recommendations Update CorvusPay WooCommerce Payment Gateway to version 2.7.5 or later. Avoid using the approval code parameter in the "POST /wp-json/corvuspay/success/" endpoint until the update is applied.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-6939

Affected Products

Corvuspay Woocommerce Payment Gateway