Skip to main content

CorvusPay WooCommerce Gateway CVE-2026-6939

| EUVDEUVD-2026-43161 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-11 Wordfence GHSA-3qh5-q7jr-f3w8
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
7.2 HIGH

Public unauthenticated REST endpoint (PR:N, AV:N, AC:L) with a bypassable signature check; stored XSS executing in another context yields S:C with limited C:L/I:L and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 06:50 vuln.today
CVE Published
Jul 11, 2026 - 05:35 cve.org
HIGH 7.2

DescriptionCVE.org

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'approval_code' parameter in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unauthenticated REST endpoint POST /wp-json/corvuspay/success/ is registered with permission_callback set to __return_true, and although a signature validation step exists it only logs the result without halting execution, meaning an attacker can supply a completely arbitrary signature and have a malicious approval_code stored in the database unchallenged.

AnalysisAI

Stored cross-site scripting in the CorvusPay WooCommerce Payment Gateway plugin for WordPress (all versions through 2.7.4) lets unauthenticated attackers persist arbitrary JavaScript through the 'approval_code' parameter. The plugin exposes the REST route POST /wp-json/corvuspay/success/ with permission_callback set to __return_true, and its signature check only logs failures instead of blocking execution, so an attacker with any bogus signature can write a malicious approval_code into the order record, which then executes when a store operator or user views the affected page. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running CorvusPay plugin
Delivery
POST to /wp-json/corvuspay/success/ with bogus signature
Exploit
approval_code XSS payload stored in DB
Execution
admin opens affected order page
Persist
script executes in admin session
Impact
hijack session or forge actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the CorvusPay WooCommerce Payment Gateway plugin (≤ 2.7.4) installed and active on an internet-reachable WordPress site, with its public REST endpoint POST /wp-json/corvuspay/success/ accessible; the endpoint's permission_callback is __return_true and its signature validation only logs - never halts - so no valid signature, credentials, or authentication are needed to write the payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2 High) reflects a network-reachable, low-complexity, unauthenticated flaw with a scope change - consistent with stored XSS where injected script executes in a different security context (e.g., a logged-in admin's browser). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a single crafted POST request to /wp-json/corvuspay/success/ with an arbitrary invalid signature and an approval_code containing a JavaScript payload; because the endpoint is public and the signature check does not stop execution, the payload is stored against an order. When a store administrator later opens that order in wp-admin (or the success page is rendered), the script runs in their authenticated session, enabling session/cookie theft or forged admin actions. …
Remediation Upgrade to the latest release of the CorvusPay WooCommerce Payment Gateway plugin beyond 2.7.4; an upstream fix appears in the WordPress plugin repository changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3576949%40corvuspay-woocommerce-integration&new=3576949%40corvuspay-woocommerce-integration), but no exact fixed version number is stated in the available data, so confirm the patched version via the Wordfence advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress instances for CorvusPay WooCommerce Payment Gateway; disable the plugin on affected systems immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6939 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy