WordPress Plugin Vulnerabilities

Transbank Webpay < 1.14.0 - Unauthenticated Stored XSS

Description

The plugin does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator

Proof of Concept

Affects Plugins

Plugin icon
transbank-webpay-plus-rest
Fixed in 1.14.0

References

CVE
CVE-2026-6858

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Mateo Contenla & Matías Schiappacasse
Submitter
Mateo Contenla & Matías Schiappacasse
Submitter website
https://nivel4.com/
Verified
Yes
WPVDB ID
81035d75-81a5-486a-a9fb-b0d1e0befe3c

Timeline

Publicly Published
2026-06-01 (about 21 days ago)
Added
2026-06-01 (about 20 days ago)
Last Updated
2026-06-19 (about 2 days ago)

Other

Published
Title
Published
2023-10-12
Title
WP 5.6-6.3.1 - Contributor+ Stored XSS via Navigation Block
Published
2024-12-11
Title
Planaday API < 11.5 - Reflected Cross-Site Scripting
Published
2022-11-03
Title
Analytics for WP <= 1.5.1 - Admin+ Stored XSS
Published
2017-11-11
Title
WP Mail Logging <= 1.8.2 - Stored Cross-Site Scripting
Published
2024-11-04
Title
FriendStore for WooCommerce <= 1.4.2 - Reflected Cross-Site Scripting