Skip to main content

Custom Payment Gateways For Woocommerce

1 CVEs product

Monthly

CVE-2026-7517 HIGH This Week

Stored cross-site scripting in the Custom Payment Gateways for WooCommerce WordPress plugin (all versions through 2.1.0) lets unauthenticated guests plant persistent JavaScript by submitting a crafted checkout POST request via the 'alg_wc_cpg_input_fields' parameter. The injected script executes in the browser of any user - including store administrators - who later views the affected page, enabling session/account compromise in the WordPress admin context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV, but the unauthenticated, no-configuration-required attack path makes it materially exploitable against default installs.

WordPress XSS Custom Payment Gateways For Woocommerce
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Custom Payment Gateways for WooCommerce WordPress plugin (all versions through 2.1.0) lets unauthenticated guests plant persistent JavaScript by submitting a crafted checkout POST request via the 'alg_wc_cpg_input_fields' parameter. The injected script executes in the browser of any user - including store administrators - who later views the affected page, enabling session/account compromise in the WordPress admin context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV, but the unauthenticated, no-configuration-required attack path makes it materially exploitable against default installs.

WordPress XSS Custom Payment Gateways For Woocommerce
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy