Stored Cross-Site Scripting Vulnerability in CorvusPay WooCommerce Payment Gateway for WordPress
CVE-2026-6939

7.2HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
11 July 2026

What is CVE-2026-6939?

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability through the 'approval_code' parameter. This flaw stems from inadequate input sanitization and output escaping across all versions up to 2.7.4. Attackers can exploit this vulnerability by injecting arbitrary web scripts, which will execute when users access affected pages. The unauthenticated REST endpoint POST /wp-json/corvuspay/success/ is poorly secured, having a permission callback set to __return_true. Although there is a signature validation process, it merely logs the outcome without stopping execution, allowing attackers to input arbitrary signatures and store malicious 'approval_code' data without any checks.

Affected Version(s)

CorvusPay WooCommerce Payment Gateway 0 <= 2.7.4

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valatty
.