A Cross-Site Scripting (XSS) vulnerability has been identified in the WordPress WooCommerce PensoPay plugin. This vulnerability could allow a malicious actor to inject malicious scripts into the website, which could be executed when visitors visit the site.

This vulnerability was discovered and responsibly reported by Le Ngoc Anh.

The vulnerability is an XSS vulnerability that occurs in the woocommerce-pensoppay.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to inject malicious scripts into the website.


The vulnerability has a CVSS 3.1 score of 7.1, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the WooCommerce PensoPay plugin prior to 6.3.2.


An attacker who successfully exploits this vulnerability could:

  • Inject malicious scripts into your website, which could allow them to:
    • Steal user information, such as cookies, session tokens, and passwords.
    • Redirect users to malicious websites.
    • Display malicious content on your website.
    • Take control of user accounts.


To protect the WordPress website effectively, please follow these recommendations:

  • Update the Plugin: Immediately update the WooCommerce PensoPay Plugin to the latest available version, at least version 6.3.2. This update contains the critical security fix required to address the XSS vulnerability.
  • Regularly Update Plugins: Make it a standard practice to regularly update all WordPress plugins and themes to their latest versions. Regular updates are vital for maintaining the security of the website.