Woocommerce Placetopay Gateway Colombia
Monthly
Reflected Cross-Site Scripting in the WooCommerce PlacetoPay Gateway family of plugins (all regional Evertec variants) allows unauthenticated network-based attackers to inject and execute arbitrary JavaScript in victims' browsers by abusing the unsanitized 'redirect-url' parameter - confirmed in versions up to and including 3.2.2 across at least six regional plugin variants (Colombia, Ecuador, Honduras, Uruguay, Belice, and base). Exploitation requires the attacker to socially engineer a victim into clicking a crafted link; no patch version has been identified in the available data, as the most recent release (3.2.2, dated 2026-04-22) addresses only a tax-validation issue and not this XSS. No public exploit code or CISA KEV listing identified at time of analysis.
Reflected Cross-Site Scripting in the WooCommerce PlacetoPay Gateway family of plugins (all regional Evertec variants) allows unauthenticated network-based attackers to inject and execute arbitrary JavaScript in victims' browsers by abusing the unsanitized 'redirect-url' parameter - confirmed in versions up to and including 3.2.2 across at least six regional plugin variants (Colombia, Ecuador, Honduras, Uruguay, Belice, and base). Exploitation requires the attacker to socially engineer a victim into clicking a crafted link; no patch version has been identified in the available data, as the most recent release (3.2.2, dated 2026-04-22) addresses only a tax-validation issue and not this XSS. No public exploit code or CISA KEV listing identified at time of analysis.