PT-2026-60989 · WordPress · Flow Payment
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Flow Payment plugin for WordPress version 3.0.8
Description
Reflected cross-site scripting occurs on the WooCommerce checkout page when the plugin handles order cancellations. The
error message GET parameter is passed to the wc add notice() function in the flowpayment-fl.php file without proper input sanitization or output escaping. An unauthenticated attacker can craft a URL containing a JavaScript payload in the error message parameter; if a victim with an active WooCommerce checkout session follows the link, the payload executes in the victim's browser within the origin of the WordPress site.Recommendations
Update Flow Payment plugin for WordPress to a version newer than 3.0.8.
As a temporary mitigation, avoid using the
error message parameter in the checkout page until the plugin is updated.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flow Payment