WordPress WooCommerce PensoPay Plugin <= 6.3.1 is vulnerable to Cross Site Scripting (XSS)

An attacker can craft a malicious URL containing a JavaScript payload in a query parameter that the plugin reflects without sanitization. Since the vulnerability requires no authentication, the attacker simply needs to trick a logged-in WordPress administrator or user into clicking the crafted link. When the victim's browser renders the page, the injected script executes in the context of the WordPress admin panel, potentially allowing the attacker to steal session cookies, perform administrative actions, or inject further malicious content. [CWE-79]

The vulnerability affects the Pensopay WooCommerce PensoPay plugin versions <= 6.3.1. The advisory title indicates an unauthenticated reflected Cross-Site Scripting (XSS) vulnerability, meaning the plugin fails to properly sanitize or escape user-supplied input before reflecting it back in the response.

The advisory does not include a published patch diff, but the changelog entry for version 6.3.2 states: 'Fix: Sanitize pensopay_action in pensopay_manual_transaction_actions handler' [ref_id=1]. This indicates the fix adds proper sanitization (e.g., using WordPress functions like `sanitize_text_field()` or `esc_html()`) to the `pensopay_action` parameter before it is output, preventing the injection of arbitrary HTML or JavaScript. Users should update to version 6.3.2 or later to remediate the vulnerability.