Stored Cross-Site Scripting Vulnerability in CorvusPay WooCommerce Payment Gateway for WordPress
CVE-2026-6939
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2026-6939?
The CorvusPay WooCommerce Payment Gateway plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability through the 'approval_code' parameter. This flaw stems from inadequate input sanitization and output escaping across all versions up to 2.7.4. Attackers can exploit this vulnerability by injecting arbitrary web scripts, which will execute when users access affected pages. The unauthenticated REST endpoint POST /wp-json/corvuspay/success/ is poorly secured, having a permission callback set to __return_true. Although there is a signature validation process, it merely logs the outcome without stopping execution, allowing attackers to input arbitrary signatures and store malicious 'approval_code' data without any checks.
Affected Version(s)
CorvusPay WooCommerce Payment Gateway 0 <= 2.7.4