No analysis available yet.
No remediation available yet.
Tracking
Sign in to view the affected projects.
No advisories yet.
Sat, 18 Jul 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
cvssV3_1
|
Sat, 18 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Flow Payment plugin for WordPress (flow.cl) version 3.0.8 is vulnerable to reflected cross-site scripting on the WooCommerce checkout page. When the plugin handles an order cancellation, the error_message GET parameter is passed directly to wc_add_notice() in flowpayment-fl.php (lines 57-58) without input sanitization (for example sanitize_text_field()) or output escaping (for example esc_html()) before being rendered in the checkout notice HTML. An unauthenticated attacker can craft a URL containing a JavaScript payload in the error_message parameter (for example /checkout/?add-to-cart={product-id}&cancel_order=true&error_message={payload}); when a victim with an active WooCommerce checkout session follows the link, the payload executes in the victim's browser in the origin of the WordPress site. | |
| Title | Flow Payment Plugin for WordPress Reflected Cross-Site Scripting via error_message Parameter | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-18T20:53:33.051Z
Reserved: 2026-06-25T18:48:00.282Z
Link: CVE-2026-57857
No data.
No data.
No data.
OpenCVE Enrichment
No data.
-
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')