Stored Cross-Site Scripting Vulnerability in Custom Payment Gateways for WooCommerce
CVE-2026-7517
7.2HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-7517?
The Custom Payment Gateways for WooCommerce plugin for WordPress is susceptible to a stored cross-site scripting vulnerability due to inadequate input sanitization and output escaping in the 'alg_wc_cpg_input_fields' parameter. This flaw allows unauthenticated attackers to inject malicious web scripts, which can execute when users access affected pages. The exploitation requires crafting a checkout POST request, without the need for custom input fields to be configured. The issue affects all versions of the plugin up to and including 2.1.0.
Affected Version(s)
Custom Payment Gateways for WooCommerce 0 <= 2.1.0