PatchSiren cyber security CVE debrief
CVE-2026-11324 evertec CVE debrief
The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'redirect-url' parameter in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This vulnerability has a CVSS score of 6.1 and is considered Medium severity. Users of these plugins should be aware of this vulnerability and take immediate action to protect their applications.
- Vendor
- evertec
- Product
- WooCommerce Placetopay Gateway Belice
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress should be aware of this vulnerability and take immediate action to protect their applications. Operators, platform administrators, vulnerability management teams, and security teams should review the affected product context and defensive impact to ensure proper mitigation.
Technical summary
The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'redirect-url' parameter in versions up to, and including, 3.2.2. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability has a CVSS score of 6.1 and is considered Medium severity.
Defensive priority
Medium priority given the CVSS score of 6.1 and the potential for attackers to inject arbitrary web scripts.
Recommended defensive actions
- Update WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins to a version that fixes the vulnerability
- Implement input sanitization and output escaping for the 'redirect-url' parameter
- Monitor for suspicious activity and implement compensating controls
- Perform inventory checks to identify potentially affected systems
- Exception tracking and retest procedures should be in place
- Review relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
Evidence is based on CVE-2026-11324 NVD detail and source item URL. Limited evidence available. The vulnerability allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Defenders should verify affected product deployments, review official advisories, and plan vendor-supported updates or mitigations.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T04:16:50.177Z and has not been modified since then.