CVE-2026-6939 in CorvusPay WooCommerce Payment Gateway Plugininfo

Summary

by MITRE • 07/11/2026

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'approval_code' parameter in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unauthenticated REST endpoint POST /wp-json/corvuspay/success/ is registered with permission_callback set to __return_true, and although a signature validation step exists it only logs the result without halting execution, meaning an attacker can supply a completely arbitrary signature and have a malicious approval_code stored in the database unchallenged.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

The CorvusPay WooCommerce Payment Gateway plugin presents a critical stored cross-site scripting vulnerability that affects all versions up to and including 2.7.4, creating a significant security risk for WordPress installations. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's handling of payment approval codes, allowing malicious actors to inject arbitrary web scripts into the system. The flaw manifests through the 'approval_code' parameter which is processed without proper validation, enabling attackers to store malicious payloads that persist in the database and execute whenever legitimate users access affected pages.

The technical implementation of this vulnerability is particularly concerning due to the plugin's REST endpoint configuration at POST /wp-json/corvuspay/success/. This endpoint is registered with a permission_callback set to __return_true, which effectively removes any authentication requirements for accessing this critical functionality. While the plugin does implement signature validation as a security measure, this protection is fundamentally flawed because it only logs validation results without actually halting execution when invalid signatures are detected. This design flaw means that attackers can simply supply completely arbitrary signatures and bypass all security checks, allowing malicious approval_code values to be stored in the database without any verification process.

The operational impact of this vulnerability extends beyond simple script execution, as it creates a persistent backdoor for attackers to compromise user sessions and potentially escalate privileges within the WordPress environment. When unauthenticated attackers inject malicious scripts through the approval_code parameter, these payloads execute whenever legitimate users access pages containing the stored content, creating a vector for session hijacking, data exfiltration, and further exploitation of the compromised system. The vulnerability affects not just the payment processing functionality but also undermines the overall security posture of WordPress sites using this plugin.

From a cybersecurity perspective, this vulnerability aligns with CWE-79 (Cross-Site Scripting) and represents a classic case of insufficient input validation combined with inadequate access controls. The ATT&CK framework categorizes this as a technique for code injection and privilege escalation through web application vulnerabilities. Organizations should immediately implement mitigations including plugin version updates to address the sanitization issues, restriction of REST API endpoint access through custom middleware, and implementation of proper signature validation that actually enforces security decisions rather than merely logging results. Additionally, administrators should consider implementing network-level protections such as web application firewalls to detect and block malicious requests targeting this specific vulnerability pattern.

The broader implications for WordPress security ecosystems highlight the importance of proper input validation and access control mechanisms in plugin development. This vulnerability demonstrates how seemingly minor oversights in permission handling and validation logic can create persistent security risks that affect thousands of websites. Security teams should conduct comprehensive audits of all installed plugins, particularly payment gateway solutions, to identify similar patterns of inadequate input sanitization and overly permissive API endpoint configurations that could expose their systems to similar attacks.

Responsible

Wordfence

Reservation

04/23/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!