Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Public unauthenticated REST endpoint (PR:N, AV:N, AC:L) with a bypassable signature check; stored XSS executing in another context yields S:C with limited C:L/I:L and no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'approval_code' parameter in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unauthenticated REST endpoint POST /wp-json/corvuspay/success/ is registered with permission_callback set to __return_true, and although a signature validation step exists it only logs the result without halting execution, meaning an attacker can supply a completely arbitrary signature and have a malicious approval_code stored in the database unchallenged.
Articles & Coverage 1
AnalysisAI
Stored cross-site scripting in the CorvusPay WooCommerce Payment Gateway plugin for WordPress (all versions through 2.7.4) lets unauthenticated attackers persist arbitrary JavaScript through the 'approval_code' parameter. The plugin exposes the REST route POST /wp-json/corvuspay/success/ with permission_callback set to __return_true, and its signature check only logs failures instead of blocking execution, so an attacker with any bogus signature can write a malicious approval_code into the order record, which then executes when a store operator or user views the affected page. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the CorvusPay WooCommerce Payment Gateway plugin (≤ 2.7.4) installed and active on an internet-reachable WordPress site, with its public REST endpoint POST /wp-json/corvuspay/success/ accessible; the endpoint's permission_callback is __return_true and its signature validation only logs - never halts - so no valid signature, credentials, or authentication are needed to write the payload. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2 High) reflects a network-reachable, low-complexity, unauthenticated flaw with a scope change - consistent with stored XSS where injected script executes in a different security context (e.g., a logged-in admin's browser). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a single crafted POST request to /wp-json/corvuspay/success/ with an arbitrary invalid signature and an approval_code containing a JavaScript payload; because the endpoint is public and the signature check does not stop execution, the payload is stored against an order. When a store administrator later opens that order in wp-admin (or the success page is rendered), the script runs in their authenticated session, enabling session/cookie theft or forged admin actions. … |
| Remediation | Upgrade to the latest release of the CorvusPay WooCommerce Payment Gateway plugin beyond 2.7.4; an upstream fix appears in the WordPress plugin repository changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3576949%40corvuspay-woocommerce-integration&new=3576949%40corvuspay-woocommerce-integration), but no exact fixed version number is stated in the available data, so confirm the patched version via the Wordfence advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress instances for CorvusPay WooCommerce Payment Gateway; disable the plugin on affected systems immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated order cancellation in CorvusPay WooCommerce Payment Gateway (all versions up to and including 2.7.4) all
Payment bypass in the CorvusPay WooCommerce Payment Gateway plugin (all versions up to and including 2.7.4) enables unau
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43161
GHSA-3qh5-q7jr-f3w8