CVE Catalog

CVE-2026-6858

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile - higher than 6% of all known CVEs

Summary

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator.

Risk Assessment

An attacker could exploit this vulnerability to inject malicious JavaScript code, potentially leading to the theft of administrator credentials or takeover of the site.

Recommendation

It is recommended to update the Transbank Webpay plugin to version 1.14.0 or later to mitigate this vulnerability.

Original NVD description (English source)

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator

Vulnerability data from NVD (NIST) · CISA KEV · EPSS