{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/corvuspay-woocommerce-payment-gateway-plugin--2.7.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-6939"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CorvusPay WooCommerce Payment Gateway plugin \u003c= 2.7.4","WordPress"],"_cs_severities":["high"],"_cs_tags":["wordpress","xss","web-application","plugin"],"_cs_type":"advisory","_cs_vendors":["CorvusPay","WordPress"],"content_html":"\u003cp\u003eThe CorvusPay WooCommerce Payment Gateway plugin for WordPress, in all versions up to and including 2.7.4, is affected by CVE-2026-6939, a critical Stored Cross-Site Scripting (XSS) vulnerability. This flaw stems from insufficient input sanitization and output escaping of the \u003ccode\u003eapproval_code\u003c/code\u003e parameter. Unauthenticated attackers can exploit this by sending a crafted request to the \u003ccode\u003e/wp-json/corvuspay/success/\u003c/code\u003e REST API endpoint. The endpoint's \u003ccode\u003epermission_callback\u003c/code\u003e is set to \u003ccode\u003e__return_true\u003c/code\u003e, and critically, while a signature validation step exists, it merely logs failures rather than halting execution. This oversight allows attackers to bypass validation entirely, injecting arbitrary web scripts into the database via the \u003ccode\u003eapproval_code\u003c/code\u003e. These malicious scripts then execute in a user's browser whenever they access an affected page, potentially leading to session hijacking, defacement, or further client-side attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a WordPress site utilizing the vulnerable CorvusPay WooCommerce Payment Gateway plugin, specifically versions up to and including 2.7.4.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing arbitrary JavaScript, designed to be injected into the \u003ccode\u003eapproval_code\u003c/code\u003e parameter (e.g., \u003ccode\u003eapproval_code=\u0026lt;script\u0026gt;alert(document.cookie)\u0026lt;/script\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated HTTP POST request to the plugin's \u003ccode\u003e/wp-json/corvuspay/success/\u003c/code\u003e REST API endpoint, including the crafted \u003ccode\u003eapproval_code\u003c/code\u003e payload.\u003c/li\u003e\n\u003cli\u003eThe endpoint processes the request due to its \u003ccode\u003epermission_callback\u003c/code\u003e being set to \u003ccode\u003e__return_true\u003c/code\u003e, circumventing authentication checks.\u003c/li\u003e\n\u003cli\u003eAlthough a signature validation mechanism is present, the plugin is configured to log validation failures without terminating the request, allowing the attacker's invalid signature to be ignored.\u003c/li\u003e\n\u003cli\u003eThe plugin proceeds to store the unsanitized \u003ccode\u003eapproval_code\u003c/code\u003e parameter, now containing the malicious JavaScript, directly into the WordPress database.\u003c/li\u003e\n\u003cli\u003eA legitimate user or administrator navigates to a WordPress page that retrieves and displays the stored \u003ccode\u003eapproval_code\u003c/code\u003e value from the database.\u003c/li\u003e\n\u003cli\u003eThe embedded malicious JavaScript code executes within the unsuspecting user's web browser, leading to client-side compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6939 allows unauthenticated attackers to achieve Stored Cross-Site Scripting, leading to significant client-side impact. Attackers can inject arbitrary web scripts that execute in the context of a legitimate user's browser. This enables various malicious activities, including session hijacking, which can compromise user accounts and sensitive data, website defacement, redirection to malicious sites, or the deployment of further client-side attacks. The wide adoption of WordPress and WooCommerce plugins means a broad range of e-commerce sites and their customers could be affected, leading to data breaches, reputational damage, and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-6939 immediately by updating the CorvusPay WooCommerce Payment Gateway plugin to a version beyond 2.7.4.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-6939 Exploitation - CorvusPay WooCommerce Stored XSS\u0026quot; to your SIEM to detect attempts at exploiting this vulnerability.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server logging for HTTP POST requests, particularly focusing on the \u003ccode\u003ecs-uri-stem\u003c/code\u003e and \u003ccode\u003ecs-uri-query\u003c/code\u003e fields, to aid in detection and forensic analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T07:23:04Z","date_published":"2026-07-11T07:23:04Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-6939-wordpress-corvuspay-xss/","summary":"The CorvusPay WooCommerce Payment Gateway plugin for WordPress versions up to and including 2.7.4 is vulnerable to Stored Cross-Site Scripting (XSS), tracked as CVE-2026-6939, allowing unauthenticated attackers to inject malicious web scripts via the 'approval_code' parameter to the `/wp-json/corvuspay/success/` REST endpoint, which processes requests without proper signature validation, leading to script execution when a user accesses an affected page.","title":"CVE-2026-6939: Unauthenticated Stored XSS in CorvusPay WooCommerce Payment Gateway for WordPress","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-6939-wordpress-corvuspay-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - CorvusPay WooCommerce Payment Gateway Plugin \u003c= 2.7.4","version":"https://jsonfeed.org/version/1.1"}