A Cross‑Site Request Forgery flaw in the Pagopar – WooCommerce Gateway plugin lets an attacker craft a request that the plugin accepts without validating a CSRF token. The malicious payload, typically JavaScript, is stored within the website’s content, causing the script to execute for every user who views the affected page. This stored XSS can lead to session hijacking, defacement, or data exfiltration when visitors load the compromised content.

The plugin Pagopar – WooCommerce Gateway for WordPress, developed by Pagopar - Grupo M S.A., is impacted. All releases through version 2.7.1 are vulnerable; no other WordPress core or plugins are directly affected according to CNA data.

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is presently unlikely. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. Based on the description, the likely attack vector is a crafted request that the plugin accepts without validating a CSRF token, allowing an injector to store the script; the stored script will run for any subsequent visitor. Proper request validation using unique nonces, or upgrading to a fixed version, is essential to mitigate this risk.