Skip to content
Threat Feed
high advisory

CVE-2026-6939: Unauthenticated Stored XSS in CorvusPay WooCommerce Payment Gateway for WordPress

The CorvusPay WooCommerce Payment Gateway plugin for WordPress versions up to and including 2.7.4 is vulnerable to Stored Cross-Site Scripting (XSS), tracked as CVE-2026-6939, allowing unauthenticated attackers to inject malicious web scripts via the 'approval_code' parameter to the `/wp-json/corvuspay/success/` REST endpoint, which processes requests without proper signature validation, leading to script execution when a user accesses an affected page.

The CorvusPay WooCommerce Payment Gateway plugin for WordPress, in all versions up to and including 2.7.4, is affected by CVE-2026-6939, a critical Stored Cross-Site Scripting (XSS) vulnerability. This flaw stems from insufficient input sanitization and output escaping of the approval_code parameter. Unauthenticated attackers can exploit this by sending a crafted request to the /wp-json/corvuspay/success/ REST API endpoint. The endpoint's permission_callback is set to __return_true, and critically, while a signature validation step exists, it merely logs failures rather than halting execution. This oversight allows attackers to bypass validation entirely, injecting arbitrary web scripts into the database via the approval_code. These malicious scripts then execute in a user's browser whenever they access an affected page, potentially leading to session hijacking, defacement, or further client-side attacks.

Attack Chain

  1. An attacker identifies a WordPress site utilizing the vulnerable CorvusPay WooCommerce Payment Gateway plugin, specifically versions up to and including 2.7.4.
  2. The attacker crafts a malicious payload containing arbitrary JavaScript, designed to be injected into the approval_code parameter (e.g., approval_code=<script>alert(document.cookie)</script>).
  3. The attacker sends an unauthenticated HTTP POST request to the plugin's /wp-json/corvuspay/success/ REST API endpoint, including the crafted approval_code payload.
  4. The endpoint processes the request due to its permission_callback being set to __return_true, circumventing authentication checks.
  5. Although a signature validation mechanism is present, the plugin is configured to log validation failures without terminating the request, allowing the attacker's invalid signature to be ignored.
  6. The plugin proceeds to store the unsanitized approval_code parameter, now containing the malicious JavaScript, directly into the WordPress database.
  7. A legitimate user or administrator navigates to a WordPress page that retrieves and displays the stored approval_code value from the database.
  8. The embedded malicious JavaScript code executes within the unsuspecting user's web browser, leading to client-side compromise.

Impact

Successful exploitation of CVE-2026-6939 allows unauthenticated attackers to achieve Stored Cross-Site Scripting, leading to significant client-side impact. Attackers can inject arbitrary web scripts that execute in the context of a legitimate user's browser. This enables various malicious activities, including session hijacking, which can compromise user accounts and sensitive data, website defacement, redirection to malicious sites, or the deployment of further client-side attacks. The wide adoption of WordPress and WooCommerce plugins means a broad range of e-commerce sites and their customers could be affected, leading to data breaches, reputational damage, and financial losses.

Recommendation

  • Patch CVE-2026-6939 immediately by updating the CorvusPay WooCommerce Payment Gateway plugin to a version beyond 2.7.4.
  • Deploy the Sigma rule "Detects CVE-2026-6939 Exploitation - CorvusPay WooCommerce Stored XSS" to your SIEM to detect attempts at exploiting this vulnerability.
  • Enable comprehensive web server logging for HTTP POST requests, particularly focusing on the cs-uri-stem and cs-uri-query fields, to aid in detection and forensic analysis.

Detection coverage 1

Detects CVE-2026-6939 Exploitation - CorvusPay WooCommerce Stored XSS

high

Detects CVE-2026-6939 exploitation - Unauthenticated Stored Cross-Site Scripting via POST request to /wp-json/corvuspay/success/ with malicious script in 'approval_code' parameter.

sigma tactics: execution, initial_access techniques: T1059.007, T1190 sources: webserver

Detection queries are available on the platform. Get full rules →