Description
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator
Severity (CVSS)
| Base score | 7.1 |
|---|---|
| Severity | High |
| Version | CVSS 3.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |
| Provided by | CISA-ADP |
Weaknesses
- — CWE-79 Cross-Site Scripting (XSS)
- CWE-79 — CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected products
| Vendor | Product | Versions |
|---|---|---|
| Unknown | Transbank Webpay | 0 to <1.14.0 |
References
- https://wpscan.com/vulnerability/81035d75-81a5-486a-a9fb-b0d1e0befe3c/ (exploit vdb-entry technical-description)
Generated from the official CVE List on 22 Jun 2026 14:43 UTC.