Skip to main content

Custom Payment Gateways for WooCommerce Unauthenticated Stored XSS in Checkout Fields (CVE-2026-7517)

Scope: Custom Payment Gateways for WooCommerce Plugin Versions up to and Including 2.1.0

Severity: High

A stored cross-site scripting vulnerability in the Custom Payment Gateways for WooCommerce plugin allows unauthenticated attackers to submit specially crafted checkout requests that store malicious JavaScript payloads on the server, even on stores where no custom checkout input fields have been configured, executing the payload for any subsequent visitor including store administrators. Once an administrator views the affected page, the injected script can silently create rogue admin accounts, install malicious plugins, redirect customers to phishing pages, or exfiltrate payment session data. Administrators running WooCommerce stores must update to version 2.1.1 or later immediately; where patching is delayed, disable the plugin entirely and audit order notes and checkout fields for injected script content.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.