CVE-2026-57857
Received Received - Intake

Reflected XSS in Flow Payment WordPress Plugin

Vulnerability report for CVE-2026-57857, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulnCheck

Description

The Flow Payment plugin for WordPress (flow.cl) version 3.0.8 is vulnerable to reflected cross-site scripting on the WooCommerce checkout page. When the plugin handles an order cancellation, the error_message GET parameter is passed directly to wc_add_notice() in flowpayment-fl.php (lines 57-58) without input sanitization (for example sanitize_text_field()) or output escaping (for example esc_html()) before being rendered in the checkout notice HTML. An unauthenticated attacker can craft a URL containing a JavaScript payload in the error_message parameter (for example /checkout/?add-to-cart={product-id}&cancel_order=true&error_message={payload}); when a victim with an active WooCommerce checkout session follows the link, the payload executes in the victim's browser in the origin of the WordPress site.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
flow payment_plugin 3.0.8

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Flow Payment plugin for WordPress version 3.0.8 has a reflected cross-site scripting (XSS) vulnerability. When a user cancels an order, the plugin displays an error message from the error_message GET parameter without sanitizing or escaping it. An attacker can craft a malicious URL with a JavaScript payload in this parameter. When a victim with an active WooCommerce checkout session visits the link, the payload executes in their browser on the WordPress site.

Detection Guidance

Check WordPress sites using the Flow Payment plugin version 3.0.8 or earlier. Look for reflected XSS by inspecting URLs with the error_message parameter on WooCommerce checkout pages. Manually test by appending a harmless script like /checkout/?error_message=test<script>alert(1)</script> to see if it executes.

Impact Analysis

An unauthenticated attacker could steal session cookies, redirect users to malicious sites, or perform actions on behalf of the victim. Users with active WooCommerce checkout sessions are at risk if they click a specially crafted link containing the malicious payload.

Compliance Impact

This vulnerability could lead to unauthorized access to user data, violating GDPR's data protection principles and HIPAA's security requirements for protected health information. It may result in data breaches, unauthorized transactions, or loss of user trust.

Mitigation Strategies

Update the Flow Payment plugin to the latest version. If no update is available, disable the plugin immediately. Add input sanitization to the error_message parameter in flowpayment-fl.php or implement output escaping using functions like esc_html().

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57857. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart