Product
The CorvusPay WooCommerce Payment Gateway plugin for WordPress versions up to and including 2.7.4 is vulnerable to Stored Cross-Site Scripting (XSS), tracked as CVE-2026-6939, allowing unauthenticated attackers to inject malicious web scripts via the 'approval_code' parameter to the `/wp-json/corvuspay/success/` REST endpoint, which processes requests without proper signature validation, leading to script execution when a user accesses an affected page.