Stored Cross-Site Scripting Vulnerability in Custom Payment Gateways for WooCommerce
CVE-2026-7517

7.2HIGH

What is CVE-2026-7517?

The Custom Payment Gateways for WooCommerce plugin for WordPress is susceptible to a stored cross-site scripting vulnerability due to inadequate input sanitization and output escaping in the 'alg_wc_cpg_input_fields' parameter. This flaw allows unauthenticated attackers to inject malicious web scripts, which can execute when users access affected pages. The exploitation requires crafting a checkout POST request, without the need for custom input fields to be configured. The issue affects all versions of the plugin up to and including 2.1.0.

Affected Version(s)

Custom Payment Gateways for WooCommerce 0 <= 2.1.0

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Azril Fathoni (kiseki)
.