CVE-2026-6939
CorvusInfo · CorvusPay WooCommerce Payment Gateway
The CorvusPay WooCommerce Payment Gateway plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the 'approval_code' parameter.
Executive summary
The CorvusPay WooCommerce Payment Gateway plugin is vulnerable to stored cross-site scripting, allowing unauthenticated attackers to execute malicious scripts in a user's browser.
Vulnerability
This is a stored XSS vulnerability (CWE-79) triggered by improper sanitization of the 'approval_code' parameter. The vulnerability does not require authentication (PR:N) and impacts the integrity and confidentiality of the WordPress administration interface.
Business impact
Successful exploitation allows an attacker to inject malicious scripts into the WooCommerce order management interface, potentially leading to session hijacking, unauthorized administrative actions, or theft of customer data. The 7.2 CVSS score reflects the high severity of allowing persistent script execution within a payment processing environment.
Remediation
Immediate Action: Update the CorvusPay WooCommerce Payment Gateway plugin to version 2.7.5 or later immediately.
Proactive Monitoring: Review WordPress administrator access logs and monitor for unexpected changes to site settings or unauthorized user creation.
Compensating Controls: Deploy a Web Application Firewall (WAF) with robust XSS protection rules to filter malicious payloads from incoming requests.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Plugin security is critical for e-commerce platforms. Administrators must update the CorvusPay plugin immediately to version 2.7.5. If an update cannot be performed immediately, the plugin should be disabled to prevent potential administrative account compromise.