CVE-2026-6858
Received Received - Intake
Stored XSS in Transbank Webpay WordPress Plugin

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: WPScan

Description
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-6858
EUVD
EUVD-2026-38213
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
transbank webpay to 1.14.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6858 is a vulnerability in the Transbank Webpay WordPress plugin versions before 1.14.0. It is a stored cross-site scripting (XSS) flaw that occurs because the plugin does not properly sanitize and escape logs that are displayed to users.

This flaw allows unauthenticated attackers to inject malicious scripts into the logs. These scripts are then stored and executed when viewed by logged-in administrators or other users, potentially compromising their accounts or the site.

Impact Analysis

This vulnerability can have serious impacts because it allows attackers to execute malicious scripts in the context of logged-in administrators without needing to authenticate.

  • Attackers can hijack administrator sessions.
  • They can perform unauthorized actions on the website.
  • It may lead to data theft, site defacement, or further compromise of the WordPress installation.
Detection Guidance

This vulnerability involves stored cross-site scripting (XSS) in the Transbank Webpay WordPress plugin versions prior to 1.14.0, where logs are not properly sanitized or escaped.

Detection can involve checking the version of the Transbank Webpay plugin installed on your WordPress site to see if it is older than 1.14.0.

Additionally, reviewing logs displayed by the plugin for suspicious or unexpected script tags or payloads could help identify exploitation attempts.

Specific commands to check the plugin version on a WordPress installation include:

  • Using WP-CLI: `wp plugin list | grep transbank-webpay` to see the installed version.
  • Manually checking the plugin's readme or main plugin file for the version number.
  • Searching logs or database entries for suspicious script tags or payloads that could indicate stored XSS.
Mitigation Strategies

The primary and immediate mitigation step is to update the Transbank Webpay WordPress plugin to version 1.14.0 or later, where the vulnerability has been fixed.

Until the update can be applied, restrict access to the WordPress admin area to trusted users only, as the vulnerability allows unauthenticated users to inject stored XSS that affects logged-in administrators.

Additionally, monitor logs and user activity for any suspicious behavior that might indicate exploitation attempts.

Compliance Impact

The vulnerability allows unauthenticated users to perform stored cross-site scripting (XSS) attacks against logged-in administrators by exploiting improper sanitization and escaping of logs in the Transbank Webpay WordPress plugin.

Such a vulnerability can lead to unauthorized access or manipulation of administrative sessions, potentially exposing sensitive data or allowing malicious actions within the affected system.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable unauthorized access or data manipulation can negatively impact compliance by risking confidentiality, integrity, and availability of sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart