CVE-2026-11324 in Placetopay Gateway Plugininfo

Summary

by MITRE • 07/17/2026

The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'redirect-url' parameter in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability discovered in the WooCommerce Placetopay Gateway and PlacetoPay/AvalPay WordPress plugins represents a critical reflected cross-site scripting flaw that affects versions up to and including 3.2.2. This security weakness stems from inadequate input validation and output escaping mechanisms within the plugin's handling of the 'redirect-url' parameter, creating an exploitable entry point for malicious actors seeking to compromise user sessions and execute unauthorized code within victim browsers.

The technical implementation of this vulnerability occurs when the plugin fails to properly sanitize user-supplied input from the redirect-url parameter before incorporating it into HTTP responses. This insufficient sanitization allows attackers to inject malicious JavaScript code that gets executed in the context of a victim's browser when they interact with a specially crafted link. The reflected nature of this XSS means that the malicious script is reflected off the web server rather than being stored on the server, making the attack delivery dependent on social engineering tactics to convince users to click on malicious links.

From an operational standpoint, this vulnerability poses significant risks to both merchants and their customers within the WordPress ecosystem. Unauthenticated attackers can exploit this weakness to steal session cookies, perform unauthorized transactions, redirect users to malicious sites, or execute arbitrary code that could lead to full system compromise. The impact extends beyond individual user sessions as compromised merchant accounts could result in financial losses, data breaches, and reputational damage. This vulnerability particularly affects e-commerce environments where users trust the website and may be prompted to make payments through the affected plugins.

The security implications align with CWE-79 which specifically addresses cross-site scripting vulnerabilities, and can be mapped to ATT&CK technique T1566 for social engineering attacks that leverage XSS as an initial access vector. Organizations using these vulnerable plugins face heightened risk of credential theft, session hijacking, and potential lateral movement within their networks if attackers gain access through this vector. The vulnerability's exploitation requires minimal technical skill and can be automated, making it particularly dangerous in environments where users may not be security-aware.

Mitigation strategies should include immediate patching to version 3.2.3 or later, which addresses the input sanitization issues. Additionally, administrators should implement proper input validation at multiple layers including web application firewalls, content security policies, and regular security audits of installed plugins. Network monitoring should be enhanced to detect suspicious traffic patterns related to XSS attempts, while user education programs should emphasize the importance of verifying links before clicking. Organizations should also consider implementing CSP headers to prevent execution of unauthorized scripts and maintain comprehensive backup procedures to quickly restore systems if compromise occurs through this vulnerability.

Responsible

Wordfence

Reservation

06/05/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Interested in the pricing of exploits?

See the underground prices here!