WooCommerce myghpay Payment Gateway <= 3.0 Reflected Cross-Site Scripting
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Unauthenticated reflected XSS in myghpay WooCommerce Payment Gateway plugin <= 3.0 via the clientref parameter in processresponse.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated reflected XSS in myghpay WooCommerce Payment Gateway plugin <= 3.0 via the clientref parameter in processresponse.php.
Vulnerability
The myghpay WooCommerce Payment Gateway plugin for WordPress, versions up to and including 3.0, contains a reflected Cross-Site Scripting (XSS) vulnerability in the clientref parameter found in the ~/processresponse.php file [1]. The parameter is echoed back without proper sanitization or encoding, allowing an attacker to inject arbitrary HTML and JavaScript. The plugin has been removed from the WordPress.org directory due to this security issue [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing a clientref parameter with embedded JavaScript payload. The victim must be logged in to the WordPress admin area and click the crafted link. No authentication is required to trigger the reflection, though the impact is limited to the victim's session context. The plugin closure suggests no patch exists, making exploitation straightforward as long as the plugin remains installed.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's WordPress admin session. This can lead to session hijacking, credential theft, or forced administrative actions. The scope of the attack is limited to reflected XSS, requiring user interaction, but can still compromise the site's security if an admin user is targeted. The plugin's removal without a fix means all installations are effectively unmaintained and vulnerable.
Mitigation
No patched version exists, as the plugin was permanently closed from the WordPress.org directory on December 13, 2021, due to this security issue [1]. The only effective mitigation is to immediately uninstall the plugin from any WordPress site where it is active. Site administrators should also review for any other vulnerable plugins or themes that may have been introduced alongside myghpay. The plugin is not listed on any known KEV catalog as of this writing.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=3.0
- WooCommerce myghpay Payment Gateway/WooCommerce myghpay Payment Gatewayv5Range: 3.0
Patches
0woo-myghpay-payment-gatewayThis plugin has been removed from the WordPress.org directory on 2021-12-13 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- plugins.trac.wordpress.org/browser/woo-myghpay-payment-gateway/trunk/processresponse.phpmitrex_refsource_MISC
- www.wordfence.com/vulnerability-advisories/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.