What the vulnerability does
01Description
The Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.112.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
PeachPay for WooCommerce versions up to 1.112.0 contain a stored cross-site scripting (XSS) vulnerability. An attacker can inject malicious scripts that execute in the browsers of site visitors or administrators. The vulnerability requires user interaction to trigger and can affect multiple users across the site. Update to a version newer than 1.112.0 to remediate.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in visitors' browsers, potentially stealing session tokens or redirecting users.
Potential impact on your site
04Site Impact
Attackers can compromise visitor sessions, deface content, or redirect customers away from your store.
Conditions required to exploit
05Prerequisites
No authentication required. Victim must visit a page containing the injected payload.
Key dates
06Disclosure timeline
November 23, 2024
CVE published
April 8, 2026
Record updated