EUVD-2026-38213
Cross-site Scripting (XSS) (CWE-79)
GHSA-4c54-mjrj-jwj4
7.1
CVSS 3.1 · Vendor: WPScan
Share
Severity by source
Vendor (WPScan)
PRIMARY
7.1
HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from Vendor (WPScan) · only source for this CVE.
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
Lifecycle Timeline
2
Patch available
Jun 22, 2026 - 07:46 EUVD
CVE Published
Jun 22, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)
DescriptionCVE.org
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator
Articles & Coverage 2
Analysis
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).