<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>CorvusPay - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/corvuspay/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 11 Jul 2026 07:23:04 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/corvuspay/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-6939: Unauthenticated Stored XSS in CorvusPay WooCommerce Payment Gateway for WordPress</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-6939-wordpress-corvuspay-xss/</link><pubDate>Sat, 11 Jul 2026 07:23:04 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-6939-wordpress-corvuspay-xss/</guid><description>The CorvusPay WooCommerce Payment Gateway plugin for WordPress versions up to and including 2.7.4 is vulnerable to Stored Cross-Site Scripting (XSS), tracked as CVE-2026-6939, allowing unauthenticated attackers to inject malicious web scripts via the 'approval_code' parameter to the `/wp-json/corvuspay/success/` REST endpoint, which processes requests without proper signature validation, leading to script execution when a user accesses an affected page.</description><content:encoded><![CDATA[<p>The CorvusPay WooCommerce Payment Gateway plugin for WordPress, in all versions up to and including 2.7.4, is affected by CVE-2026-6939, a critical Stored Cross-Site Scripting (XSS) vulnerability. This flaw stems from insufficient input sanitization and output escaping of the <code>approval_code</code> parameter. Unauthenticated attackers can exploit this by sending a crafted request to the <code>/wp-json/corvuspay/success/</code> REST API endpoint. The endpoint's <code>permission_callback</code> is set to <code>__return_true</code>, and critically, while a signature validation step exists, it merely logs failures rather than halting execution. This oversight allows attackers to bypass validation entirely, injecting arbitrary web scripts into the database via the <code>approval_code</code>. These malicious scripts then execute in a user's browser whenever they access an affected page, potentially leading to session hijacking, defacement, or further client-side attacks.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a WordPress site utilizing the vulnerable CorvusPay WooCommerce Payment Gateway plugin, specifically versions up to and including 2.7.4.</li>
<li>The attacker crafts a malicious payload containing arbitrary JavaScript, designed to be injected into the <code>approval_code</code> parameter (e.g., <code>approval_code=&lt;script&gt;alert(document.cookie)&lt;/script&gt;</code>).</li>
<li>The attacker sends an unauthenticated HTTP POST request to the plugin's <code>/wp-json/corvuspay/success/</code> REST API endpoint, including the crafted <code>approval_code</code> payload.</li>
<li>The endpoint processes the request due to its <code>permission_callback</code> being set to <code>__return_true</code>, circumventing authentication checks.</li>
<li>Although a signature validation mechanism is present, the plugin is configured to log validation failures without terminating the request, allowing the attacker's invalid signature to be ignored.</li>
<li>The plugin proceeds to store the unsanitized <code>approval_code</code> parameter, now containing the malicious JavaScript, directly into the WordPress database.</li>
<li>A legitimate user or administrator navigates to a WordPress page that retrieves and displays the stored <code>approval_code</code> value from the database.</li>
<li>The embedded malicious JavaScript code executes within the unsuspecting user's web browser, leading to client-side compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-6939 allows unauthenticated attackers to achieve Stored Cross-Site Scripting, leading to significant client-side impact. Attackers can inject arbitrary web scripts that execute in the context of a legitimate user's browser. This enables various malicious activities, including session hijacking, which can compromise user accounts and sensitive data, website defacement, redirection to malicious sites, or the deployment of further client-side attacks. The wide adoption of WordPress and WooCommerce plugins means a broad range of e-commerce sites and their customers could be affected, leading to data breaches, reputational damage, and financial losses.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-6939 immediately by updating the CorvusPay WooCommerce Payment Gateway plugin to a version beyond 2.7.4.</li>
<li>Deploy the Sigma rule &quot;Detects CVE-2026-6939 Exploitation - CorvusPay WooCommerce Stored XSS&quot; to your SIEM to detect attempts at exploiting this vulnerability.</li>
<li>Enable comprehensive web server logging for HTTP POST requests, particularly focusing on the <code>cs-uri-stem</code> and <code>cs-uri-query</code> fields, to aid in detection and forensic analysis.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>xss</category><category>web-application</category><category>plugin</category></item></channel></rss>