CVE-2026-6858 PUBLISHED

Transbank Webpay < 1.14.0 - Unauthenticated Stored XSS

Assigner: WPScan
Reserved: 22.04.2026 Published: 22.06.2026 Updated: 22.06.2026

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator

Product Status

Vendor	Unknown
Product	Transbank Webpay
Versions	Default: unaffected affected from 0 to 1.14.0 (excl.)

Credits

Mateo Contenla & Matías Schiappacasse finder
WPScan coordinator

References

https://wpscan.com/vulnerability/81035d75-81a5-486a-a9fb-b0d1e0befe3c/

Problem Types

CWE-79 Cross-Site Scripting (XSS) CWE