CVE-2026-7517
Received Received - Intake

Stored XSS in Custom Payment Gateways for WooCommerce Plugin

Vulnerability report for CVE-2026-7517, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Wordfence

Description

The Custom Payment Gateways for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alg_wc_cpg_input_fields' parameter in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability is exploitable by unauthenticated guest users submitting a crafted checkout POST request, requiring no custom input fields to be configured in the plugin.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
algolia custom_payment_gateways_for_woocommerce to 2.1.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Custom Payment Gateways for WooCommerce plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'alg_wc_cpg_input_fields' parameter. This occurs because the plugin does not properly sanitize input or escape output in all versions up to and including 2.1.0.

An unauthenticated attacker can exploit this by submitting a specially crafted checkout POST request, even if no custom input fields are configured. The injected malicious scripts then execute whenever a user accesses the affected page.

Impact Analysis

This vulnerability allows attackers to inject and execute arbitrary web scripts on pages viewed by users, potentially leading to theft of sensitive information, session hijacking, or other malicious actions.

Since the attack can be performed by unauthenticated users without any special privileges, it increases the risk of widespread exploitation.

The CVSS score of 7.2 indicates a high severity, meaning the impact on confidentiality and integrity is significant, though availability is not affected.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7517. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart