Stored XSS Vulnerability in Transbank Webpay Plugin for WordPress
CVE-2026-6858

7.1HIGH

Key Information:

Vendor: WordPress
Status: Transbank Webpay
Vendor: CVE Published:; 22 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-6858?

The Transbank Webpay plugin for WordPress, prior to version 1.14.0, exposes a vulnerability due to improper sanitization and escaping of logs. This flaw allows unauthenticated attackers to execute Stored XSS attacks, potentially compromising the accounts of logged-in administrators. Such vulnerabilities can lead to unauthorized actions within the administrative dashboard, making it crucial for users to upgrade to the latest version to mitigate this risk.

Affected Version(s)

Transbank Webpay 0 < 1.14.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-6858 - Proof of Concept

References

https://wpscan.com/vulnerability/81035d75-81a5-486a-a9fb-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 22, 2026
👾
Exploit known to exist
Jun 22, 2026
Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Apr 22, 2026

Credit

Mateo Contenla & Matías Schiappacasse

WPScan

CVE-2026-6858 Data

JSON