PT-2026-57419 · WordPress · Corvuspay Woocommerce Payment Gateway
Valatty
·
Published
2026-07-11
·
Updated
2026-07-11
·
CVE-2026-6939
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
CorvusPay WooCommerce Payment Gateway versions prior to 2.7.5
Description
Insufficient input sanitization and output escaping allow unauthenticated attackers to perform Stored Cross-Site Scripting. An attacker can inject arbitrary web scripts into pages that execute when a user accesses them. This is possible because the unauthenticated REST endpoint "POST /wp-json/corvuspay/success/" has its
permission callback set to return true. While a signature validation step is present, it only logs the result without stopping execution, allowing a malicious approval code to be stored in the database regardless of the signature provided.Recommendations
Update CorvusPay WooCommerce Payment Gateway to version 2.7.5 or later.
Avoid using the
approval code parameter in the "POST /wp-json/corvuspay/success/" endpoint until the update is applied.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Corvuspay Woocommerce Payment Gateway