Custom Payment Gateways for WooCommerce Plugin Vulnerability (CVE-2026-7517)

On this page

Security Alert Summary

The Custom Payment Gateways for WooCommerce plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the handling of the alg_wc_cpg_input_fields parameter. An unauthenticated attacker can submit a crafted checkout POST request that injects script which will execute when a user views the affected page. The issue is caused by insufficient input sanitization and missing output escaping.

CVE Details

  • CVE ID: CVE-2026-7517
  • Affected component: Custom Payment Gateways for WooCommerce plugin for WordPress
  • Affected versions: All versions up to and including 2.1.0
  • Published: July 1, 2026 5:16:23 AM UTC
  • Last modified: July 1, 2026 1:56:17 PM UTC
  • CVSS v3.1 base score: 7.2 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: No authentication required; privileges required: none; user interaction: none
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • Weakness: CWE-79 (Cross-site Scripting)

Technical Details

The plugin fails to properly sanitize and escape input provided via the alg_wc_cpg_input_fields parameter. This allows an unauthenticated attacker to submit a crafted checkout POST request that stores arbitrary web scripts (stored XSS) which will execute later when a user loads the injected page. The issue is rooted in insufficient input sanitization and missing output escaping in the plugin code handling custom input fields.

The code locations referenced in available analysis point to the class implementation for custom payment gateway input fields (for example: class-alg-wc-custom-payment-gateways-input-fields.php). The vulnerability is exploitable without any custom input fields being configured in the plugin, and requires only an attacker-controlled POST to the checkout flow to inject payloads that will be rendered to other users.

Successful exploitation results in script execution in the context of a victim’s browser when they view the affected page. The impact is consistent with the CVSS metrics: modest confidentiality and integrity effects (for example, exposure of data accessible to the user or actions performed in the context of the user), and no direct availability impact indicated.

How This Could Impact Your Website

On a WooCommerce site using the affected plugin, an unauthenticated attacker could inject JavaScript that is stored and later executed when other users visit the checkout or related pages. In a typical small-to-medium business environment this might involve:

  • The site owner noticing suspicious activity reported by staff or customers after a script captures form data or performs unwanted actions in a user session.
  • Internal staff or store managers viewing infected pages and having their account-related data exposed or modified within the limits of their privileges.
  • An external contractor or contributor visiting a page and having their session or visible data targeted by injected scripts.

Practical consequences include exposure of user-visible data such as internal user email addresses and increased risk of targeted phishing or social engineering against staff and customers. If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor-level accounts and lower-privilege roles.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and web logs for unusual POST requests to checkout pages and unexpected content changes.

If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References