Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ABA Bank ABA PayWay Payment Gateway for WooCommerce aba-payway-woocommerce-payment-gateway allows Reflected XSS.This issue affects ABA PayWay Payment Gateway for WooCommerce: from n/a through <= 2.1.4.
Published: 2025-04-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ABA PayWay Payment Gateway for WooCommerce plugin includes a reflected Cross‑Site Scripting flaw that occurs when user‑controlled data is output in a web page without proper encoding. An attacker can supply malicious script content in URL parameters or form inputs that will be executed in the victim’s browser. This can lead to theft of session cookies, credential hijacking, or defacement of the website, but does not allow arbitrary code execution on the server. The weakness is identified as CWE‑79.

Affected Systems

This vulnerability affects the ABA PayWay Payment Gateway for WooCommerce plugin from any version through 2.1.4, distributed by ABA Bank. Any WordPress‑based WooCommerce store running the plugin at or below 2.1.4 is potentially exposed.

Risk and Exploitability

The issue has a CVSS score of 7.1, indicating high severity, and an EPSS score of less than 1%, indicating low exploitation probability. It is not listed in the CISA KEV catalog. The most likely attack vector is a crafted link or form that an unsuspecting user would click or submit, leading to delivery of malicious script in the victim’s session. While the flaw does not permit server‑side code execution, it remains a serious concern for user data integrity and trust.

Generated by OpenCVE AI on April 30, 2026 at 23:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest version that contains the XSS fix.
  • If an immediate upgrade is not possible, enforce proper output escaping on any user‑supplied data rendered by the plugin using functions such as wp_kses or htmlspecialchars.
  • Review and restrict the plugin’s form and URL parameters to ensure they do not accept arbitrary script input before rendering.

Generated by OpenCVE AI on April 30, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10751 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ABA Bank ABA PayWay Payment Gateway for WooCommerce allows Reflected XSS. This issue affects ABA PayWay Payment Gateway for WooCommerce: from n/a through 2.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ABA Bank ABA PayWay Payment Gateway for WooCommerce allows Reflected XSS. This issue affects ABA PayWay Payment Gateway for WooCommerce: from n/a through 2.1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ABA Bank ABA PayWay Payment Gateway for WooCommerce aba-payway-woocommerce-payment-gateway allows Reflected XSS.This issue affects ABA PayWay Payment Gateway for WooCommerce: from n/a through <= 2.1.4.
Title WordPress ABA PayWay Payment Gateway for WooCommerce Plugin <= 2.1.3 - Reflected Cross Site Scripting (XSS) vulnerability WordPress ABA PayWay Payment Gateway for WooCommerce Plugin <= 2.1.4 - Reflected Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ABA Bank ABA PayWay Payment Gateway for WooCommerce allows Reflected XSS. This issue affects ABA PayWay Payment Gateway for WooCommerce: from n/a through 2.1.3.
Title WordPress ABA PayWay Payment Gateway for WooCommerce Plugin <= 2.1.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:24.750Z

Reserved: 2025-04-09T11:20:21.866Z

Link: CVE-2025-32586

cve-icon Vulnrichment

Updated: 2025-04-11T13:53:18.666Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:29.820

Modified: 2026-04-23T15:29:09.600

Link: CVE-2025-32586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T23:15:05Z

Weaknesses