CVE-2022-2099

MEDIUM

WooCommerce < 6.6.0 - Stored Cross-Site Scripting in Payment Gateway Titles

Title source: llm
STIX 2.1

Description

The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/0316e5f3-3302-40e3-8ff4-be3423a3be7b

Scores

CVSS v3 4.8
EPSS 0.0054
EPSS Percentile 41.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-116
Status published
Products (2)
woocommerce/woocommerce < 6.6.0
woocommerce/woocommerce 0 - 6.6.0Packagist
Published Jul 17, 2022
Tracked Since Feb 18, 2026