Skip to main content

Custom Payment Gateways for WooCommerce CVE-2026-7517

| EUVDEUVD-2026-40902 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 Wordfence GHSA-6q84-x2rr-737v
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
7.2 HIGH

Unauthenticated remote injection needs no auth or special config (PR:N/AC:L), stored XSS executing in a privileged browser context yields scope change (S:C) with limited confidentiality/integrity impact and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:23 vuln.today
CVE Published
Jul 01, 2026 - 04:32 nvd
HIGH 7.2

DescriptionCVE.org

The Custom Payment Gateways for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alg_wc_cpg_input_fields' parameter in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability is exploitable by unauthenticated guest users submitting a crafted checkout POST request, requiring no custom input fields to be configured in the plugin.

AnalysisAI

Stored cross-site scripting in the Custom Payment Gateways for WooCommerce WordPress plugin (all versions through 2.1.0) lets unauthenticated guests plant persistent JavaScript by submitting a crafted checkout POST request via the 'alg_wc_cpg_input_fields' parameter. The injected script executes in the browser of any user - including store administrators - who later views the affected page, enabling session/account compromise in the WordPress admin context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach store checkout endpoint
Delivery
Submit crafted checkout POST
Exploit
Inject script via alg_wc_cpg_input_fields
Install
Payload stored with order data
C2
Admin views injected page
Execute
Script runs in admin session
Impact
Hijack account or actions

Vulnerability AssessmentAI

Exploitation Exploitation requires only that a WordPress site have the Custom Payment Gateways for WooCommerce plugin (version ≤ 2.1.0) installed and active with a reachable WooCommerce checkout; the description explicitly states it works even when no custom input fields are configured, so no non-default plugin setup is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, 7.2 High) reflects a remote, low-complexity, unauthenticated attack with a scope change into the victim's browser context and low confidentiality/integrity impact - consistent with the description stating unauthenticated guests can trigger it with no plugin-specific configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a crafted checkout POST request to a store running the plugin, placing a malicious <script> payload in the 'alg_wc_cpg_input_fields' parameter, which is stored with the order. When a store administrator later opens that order in the WordPress dashboard, the script executes in their authenticated session and can steal cookies, forge admin actions, or create a new admin account. …
Remediation Upstream fix available (committed via WordPress plugin SVN changeset 3578163, https://plugins.trac.wordpress.org/changeset?old=3578163%40custom-payment-gateways-woocommerce&new=3578163%40custom-payment-gateways-woocommerce); a released patched version above 2.1.0 is not independently confirmed from the provided data, so administrators should update to the latest available release of Custom Payment Gateways for WooCommerce and verify the installed version is newer than 2.1.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all WordPress instances using Custom Payment Gateways for WooCommerce version 2.1.0 or earlier; disable the plugin immediately if non-critical, or restrict checkout access to authenticated users only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-7517 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy