MyCryptoCheckout < 2.124 - Reflected XSS
Description
The MyCryptoCheckout WordPress plugin before 2.124 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The MyCryptoCheckout WordPress plugin before 2.124 has a reflected XSS vulnerability because it fails to escape certain URLs before outputting them in HTML attributes.
Vulnerability
The MyCryptoCheckout WordPress plugin versions before 2.124 suffer from a reflected cross-site scripting (XSS) vulnerability. The plugin does not properly escape some URLs before outputting them in HTML attributes, allowing an attacker to inject arbitrary JavaScript code. The affected parameter is part of the URL handling mechanism within the plugin [1].
Exploitation
To exploit this vulnerability, an attacker must craft a malicious URL containing a JavaScript payload in the unsanitized parameter and lure a victim to click on it. The victim must be logged into a WordPress site running a vulnerable version of the plugin. No authentication or special privileges are required from the attacker beyond the ability to trick the user into visiting the crafted link [1].
Impact
Successful exploitation leads to reflected XSS, allowing the attacker to execute arbitrary JavaScript in the victim's browser within the context of the vulnerable WordPress site. This could be used to steal session cookies, perform actions on behalf of the victim, deface the site, or redirect the user to malicious destinations. The CVSS score is 7.5 (high) [1].
Mitigation
The issue is fixed in version 2.124 of the MyCryptoCheckout plugin. Users should update to this version or later. If updating is not possible, no workaround is documented in the available references; however, administrators can consider using a web application firewall to block malicious requests containing XSS payloads in the affected URL parameters [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/MyCryptoCheckoutdescription
- Range: <2.124
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output escaping of URLs before they are rendered in HTML attributes."
Attack vector
An attacker can craft a malicious URL containing JavaScript payloads in parameters that the plugin reflects into HTML attributes without proper escaping [CWE-79]. When a victim clicks the crafted link, the unescaped URL is output in an attribute, allowing the injected script to execute in the victim's browser context. No authentication is required; the attack is triggered by luring a user to visit the malicious link [ref_id=1].
Affected code
The advisory does not specify exact file paths or function names. The vulnerability exists in the MyCryptoCheckout WordPress plugin versions before 2.124, where certain URLs are not escaped before being output in HTML attributes [ref_id=1].
What the fix does
The advisory states the issue is fixed in version 2.124 of the MyCryptoCheckout plugin [ref_id=1]. No patch diff is provided, but the fix would involve properly escaping URLs with functions like esc_url() or esc_attr() before outputting them in HTML attributes, preventing injected JavaScript from being interpreted as code.
Preconditions
- inputThe attacker must craft a URL with a malicious JavaScript payload in a parameter that the plugin reflects into an HTML attribute.
- configThe victim must be logged into or browsing a WordPress site running MyCryptoCheckout before version 2.124.
- networkThe victim must click the attacker's crafted link.
Reproduction
The advisory does not include explicit reproduction steps beyond the general description that the plugin does not escape some URLs before outputting them in attributes [ref_id=1]. No detailed PoC is provided.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/bb065397-370f-4ee1-a2c8-20e4dc4415a0mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.