Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Reflected XSS via crafted URL requires victim click (UI:R); scope changes as script runs in browser origin (S:C); no credentials needed from attacker (PR:N); no availability impact for XSS.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'redirect-url' parameter in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
AnalysisAI
Reflected Cross-Site Scripting in the WooCommerce PlacetoPay Gateway family of plugins (all regional Evertec variants) allows unauthenticated network-based attackers to inject and execute arbitrary JavaScript in victims' browsers by abusing the unsanitized 'redirect-url' parameter - confirmed in versions up to and including 3.2.2 across at least six regional plugin variants (Colombia, Ecuador, Honduras, Uruguay, Belice, and base). Exploitation requires the attacker to socially engineer a victim into clicking a crafted link; no patch version has been identified in the available data, as the most recent release (3.2.2, dated 2026-04-22) addresses only a tax-validation issue and not this XSS. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The WooCommerce PlacetoPay Gateway plugin (any regional variant) must be installed and active on a WordPress site running WooCommerce, and the payment redirect flow must be reachable by external users - which is the default operating mode for any active storefront. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.1 (Medium) is consistent with reflected XSS: AV:N/AC:L/PR:N indicates that no authentication or special network position is required from the attacker, while UI:R is the primary real-world limiting factor - a victim must actively click a crafted link, preventing passive or wormable exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targets customers of a Latin American WooCommerce store by crafting a URL to the site's PlacetoPay payment redirect endpoint with a malicious JavaScript payload embedded in the 'redirect-url' parameter, then distributes this link via a phishing email or fake order confirmation. When the customer clicks the link, the page renders with the unescaped payload reflected in the HTML, causing the script to execute in the victim's browser under the legitimate store's origin - enabling session cookie theft, credential harvesting via an injected form overlay, or fraudulent redirection. … |
| Remediation | No vendor-released patched version has been identified at time of analysis - the 3.2.2 release (2026-04-22) is the latest available and contains only a tax-validation change, not an XSS fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45129
GHSA-g666-vr5r-v828