Custom Payment Gateways For Woocommerce
Monthly
Stored cross-site scripting in the Custom Payment Gateways for WooCommerce WordPress plugin (all versions through 2.1.0) lets unauthenticated guests plant persistent JavaScript by submitting a crafted checkout POST request via the 'alg_wc_cpg_input_fields' parameter. The injected script executes in the browser of any user - including store administrators - who later views the affected page, enabling session/account compromise in the WordPress admin context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV, but the unauthenticated, no-configuration-required attack path makes it materially exploitable against default installs.
Stored cross-site scripting in the Custom Payment Gateways for WooCommerce WordPress plugin (all versions through 2.1.0) lets unauthenticated guests plant persistent JavaScript by submitting a crafted checkout POST request via the 'alg_wc_cpg_input_fields' parameter. The injected script executes in the browser of any user - including store administrators - who later views the affected page, enabling session/account compromise in the WordPress admin context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV, but the unauthenticated, no-configuration-required attack path makes it materially exploitable against default installs.