PT-2026-60989 · WordPress · Flow Payment

·

CVE-2026-57857

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions Flow Payment plugin for WordPress version 3.0.8
Description Reflected cross-site scripting occurs on the WooCommerce checkout page when the plugin handles order cancellations. The error message GET parameter is passed to the wc add notice() function in the flowpayment-fl.php file without proper input sanitization or output escaping. An unauthenticated attacker can craft a URL containing a JavaScript payload in the error message parameter; if a victim with an active WooCommerce checkout session follows the link, the payload executes in the victim's browser within the origin of the WordPress site.
Recommendations Update Flow Payment plugin for WordPress to a version newer than 3.0.8. As a temporary mitigation, avoid using the error message parameter in the checkout page until the plugin is updated.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-57857

Affected Products

Flow Payment