CVE-2026-7517 Overview
CVE-2026-7517 is a stored Cross-Site Scripting (XSS) vulnerability in the Custom Payment Gateways for WooCommerce plugin for WordPress. The flaw affects all versions up to and including 2.1.0. It resides in the alg_wc_cpg_input_fields parameter, which lacks proper input sanitization and output escaping [CWE-79]. Unauthenticated attackers can inject arbitrary web scripts through a crafted checkout POST request. The injected payload executes in the browser of any user who later accesses the affected page. Exploitation does not require the plugin to have any custom input fields configured, broadening the attack surface across default installations.
Critical Impact
Unauthenticated attackers can inject persistent JavaScript through the WooCommerce checkout flow, enabling session theft, admin account takeover, and drive-by attacks against store visitors and administrators.
Affected Products
- Custom Payment Gateways for WooCommerce plugin for WordPress — all versions through 2.1.0
- WordPress sites running WooCommerce with the affected plugin installed
- Any storefront exposing the checkout POST endpoint to unauthenticated guests
Discovery Timeline
- 2026-07-01 - CVE-2026-7517 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-7517
Vulnerability Analysis
The vulnerability exists in the plugin's input field handling class, class-alg-wc-custom-payment-gateways-input-fields.php. The alg_wc_cpg_input_fields parameter is accepted from checkout POST requests and later rendered in pages without adequate sanitization or output escaping. Because rendering occurs on pages viewed by store staff and other users, an attacker's payload persists and executes across sessions. The plugin does not require administrators to configure custom fields for the vulnerable code path to trigger, meaning default installations are exploitable. Successful exploitation lets attackers run arbitrary JavaScript in the context of the site, steal cookies, hijack administrator sessions, redirect visitors, or pivot into further WordPress compromise.
Root Cause
The root cause is insufficient input sanitization on the server side combined with missing output escaping when the stored value is echoed back into HTML. Relevant sinks are visible in the plugin source at lines 86, 241, and 264 of class-alg-wc-custom-payment-gateways-input-fields.php. User-supplied checkout data is trusted without applying WordPress sanitization helpers such as sanitize_text_field() or context-appropriate escaping like esc_html() and esc_attr().
Attack Vector
The attack is remote and unauthenticated. An attacker submits a crafted HTTP POST request to the WooCommerce checkout endpoint containing a malicious alg_wc_cpg_input_fields value. The payload is stored server-side and rendered into subsequent page views. When an administrator or customer loads the affected page, the injected script executes in their browser under the site's origin. Because the CVSS scope is changed, the impact reaches beyond the vulnerable component into browsers and sessions of other users.
No verified public exploit code is available. Technical details on the vulnerable sinks can be reviewed in the WordPress plugin source at line 86, line 241, and line 264.
Detection Methods for CVE-2026-7517
Indicators of Compromise
- Checkout POST requests containing <script>, onerror=, onload=, or javascript: substrings in the alg_wc_cpg_input_fields parameter.
- Unexpected HTML or JavaScript rendered in WooCommerce order detail pages, thank-you pages, or admin order screens.
- Unusual outbound requests from admin sessions to attacker-controlled domains shortly after viewing order pages.
- WordPress wp_options, order metadata, or postmeta rows containing raw script tags tied to the plugin's field keys.
Detection Strategies
- Inspect webserver and WAF logs for POST requests to WooCommerce checkout URLs where alg_wc_cpg_input_fields contains HTML control characters such as <, >, or ".
- Perform database scans across wp_postmeta and plugin-specific tables for stored values containing script tags or event handler attributes.
- Monitor admin browser telemetry for anomalous script execution originating from /wp-admin/post.php or order review pages.
- Correlate guest checkout activity with subsequent admin account changes, new administrator creation, or plugin installation events.
Monitoring Recommendations
- Enable request-body logging on checkout endpoints and alert on payloads containing HTML or JavaScript syntax in payment-gateway fields.
- Deploy a Web Application Firewall rule set that inspects and blocks XSS payloads in WooCommerce POST parameters.
- Track WordPress audit events for privilege changes, new users, and plugin or theme modifications following guest checkout activity.
- Review the Wordfence Vulnerability Report for updated signatures and threat intelligence.
How to Mitigate CVE-2026-7517
Immediate Actions Required
- Update the Custom Payment Gateways for WooCommerce plugin to a version later than 2.1.0 as soon as a patched release is available.
- If no fixed version is available, deactivate and remove the plugin from production WordPress sites.
- Audit wp_postmeta, order records, and plugin option tables for stored script payloads and remove malicious content.
- Force administrator password resets and invalidate active WordPress sessions if compromise is suspected.
Patch Information
The vendor committed changes tracked in the WordPress plugin changeset 3578163 addressing the vulnerable input handling. Site operators should upgrade to the first plugin release that incorporates this changeset. Confirm the plugin version reported in the WordPress admin matches or exceeds the patched build before restoring the plugin to production.
Workarounds
- Deploy a WAF rule to block or sanitize checkout POST requests containing HTML tags or JavaScript event handlers in the alg_wc_cpg_input_fields parameter.
- Restrict access to the WooCommerce checkout endpoint using rate limiting and bot-mitigation controls until the plugin is patched.
- Set a strict Content-Security-Policy response header that disallows inline scripts to reduce the impact of stored XSS payloads.
- Temporarily disable guest checkout so unauthenticated requests cannot reach the vulnerable code path.
# Configuration example: block script-like payloads in the vulnerable parameter (ModSecurity)
SecRule ARGS:alg_wc_cpg_input_fields "@rx (?i)(<script|onerror=|onload=|javascript:)" \
"id:1026007517,phase:2,deny,status:403,log,msg:'CVE-2026-7517 XSS attempt blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

