Skip to main content

PlacetoPay Gateway CVE-2026-11324

| EUVDEUVD-2026-45129 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-17 Wordfence GHSA-g666-vr5r-v828
6.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Reflected XSS via crafted URL requires victim click (UI:R); scope changes as script runs in browser origin (S:C); no credentials needed from attacker (PR:N); no availability impact for XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 17, 2026 - 04:22 vuln.today
Analysis Generated
Jul 17, 2026 - 04:22 vuln.today
CVE Published
Jul 17, 2026 - 02:31 nvd
MEDIUM 6.1

DescriptionNVD

The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'redirect-url' parameter in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

AnalysisAI

Reflected Cross-Site Scripting in the WooCommerce PlacetoPay Gateway family of plugins (all regional Evertec variants) allows unauthenticated network-based attackers to inject and execute arbitrary JavaScript in victims' browsers by abusing the unsanitized 'redirect-url' parameter - confirmed in versions up to and including 3.2.2 across at least six regional plugin variants (Colombia, Ecuador, Honduras, Uruguay, Belice, and base). Exploitation requires the attacker to socially engineer a victim into clicking a crafted link; no patch version has been identified in the available data, as the most recent release (3.2.2, dated 2026-04-22) addresses only a tax-validation issue and not this XSS. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious 'redirect-url' payload
Delivery
Embed in phishing or spoofed order-confirmation link
Exploit
Victim clicks crafted URL targeting PlacetoPay payment endpoint
Execution
Server reflects unescaped parameter into HTML response
Persist
Injected script executes in victim's browser under store origin
Impact
Steal session cookie or render credential-harvesting overlay

Vulnerability AssessmentAI

Exploitation The WooCommerce PlacetoPay Gateway plugin (any regional variant) must be installed and active on a WordPress site running WooCommerce, and the payment redirect flow must be reachable by external users - which is the default operating mode for any active storefront. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.1 (Medium) is consistent with reflected XSS: AV:N/AC:L/PR:N indicates that no authentication or special network position is required from the attacker, while UI:R is the primary real-world limiting factor - a victim must actively click a crafted link, preventing passive or wormable exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targets customers of a Latin American WooCommerce store by crafting a URL to the site's PlacetoPay payment redirect endpoint with a malicious JavaScript payload embedded in the 'redirect-url' parameter, then distributes this link via a phishing email or fake order confirmation. When the customer clicks the link, the page renders with the unescaped payload reflected in the HTML, causing the script to execute in the victim's browser under the legitimate store's origin - enabling session cookie theft, credential harvesting via an injected form overlay, or fraudulent redirection. …
Remediation No vendor-released patched version has been identified at time of analysis - the 3.2.2 release (2026-04-22) is the latest available and contains only a tax-validation change, not an XSS fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy