Description
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator
Published: 2026-06-22
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Transbank Webpay WordPress plugin before version 1.14.0 logs data without sanitizing or escaping it. When the logs are displayed in the WordPress admin area, the unsanitized content is rendered directly, allowing the injection of malicious JavaScript. This flaw satisfies the definition of a stored cross‑site scripting vulnerability (CWE‑79).

Affected Systems

WordPress sites that run the Transbank Webpay plugin with a version older than 1.14.0 are impacted. The problem resides in the plugin’s logging component, which is accessible to anyone who can interact with the plugin’s endpoints, regardless of authentication status.

Risk and Exploitability

No CVSS score or EPSS value is supplied, and the vulnerability is not listed in the CISA KEV catalog, so the precise exploitation probability is unknown. However, the description indicates that unauthenticated users may inject code via the logging mechanism, which is a well‑known high‑risk vector for compromising administrator accounts when the user later views the affected logs. The lack of a known exploit reference suggests that it has not yet been widely abused, but the mechanism remains available for attackers who can identify sites running the vulnerable plugin.

Generated by OpenCVE AI on June 22, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Transbank Webpay plugin to version 1.14.0 or later to apply the vendor’s fix for the stored XSS flaw.
  • If an immediate upgrade is not possible, disable the logging feature or configure the plugin to escape all log output before rendering it in the admin interface.
  • Apply a web application firewall rule that blocks payloads containing script tags or JavaScript‑related patterns when submitted to the plugin’s logging endpoints.

Generated by OpenCVE AI on June 22, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 22 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator
Title Transbank Webpay < 1.14.0 - Unauthenticated Stored XSS
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-22T06:00:02.096Z

Reserved: 2026-04-22T12:53:03.877Z

Link: CVE-2026-6858

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T08:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')