CVE-2026-6858
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk6th percentile - higher than 6% of all known CVEs
Summary
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator.
Risk Assessment
An attacker could exploit this vulnerability to inject malicious JavaScript code, potentially leading to the theft of administrator credentials or takeover of the site.
Recommendation
It is recommended to update the Transbank Webpay plugin to version 1.14.0 or later to mitigate this vulnerability.
Original NVD description (English source)
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator

