PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11324 evertec CVE debrief

The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'redirect-url' parameter in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This vulnerability has a CVSS score of 6.1 and is considered Medium severity. Users of these plugins should be aware of this vulnerability and take immediate action to protect their applications.

Vendor
evertec
Product
WooCommerce Placetopay Gateway Belice
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress should be aware of this vulnerability and take immediate action to protect their applications. Operators, platform administrators, vulnerability management teams, and security teams should review the affected product context and defensive impact to ensure proper mitigation.

Technical summary

The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'redirect-url' parameter in versions up to, and including, 3.2.2. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability has a CVSS score of 6.1 and is considered Medium severity.

Defensive priority

Medium priority given the CVSS score of 6.1 and the potential for attackers to inject arbitrary web scripts.

Recommended defensive actions

  • Update WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins to a version that fixes the vulnerability
  • Implement input sanitization and output escaping for the 'redirect-url' parameter
  • Monitor for suspicious activity and implement compensating controls
  • Perform inventory checks to identify potentially affected systems
  • Exception tracking and retest procedures should be in place
  • Review relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

Evidence is based on CVE-2026-11324 NVD detail and source item URL. Limited evidence available. The vulnerability allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Defenders should verify affected product deployments, review official advisories, and plan vendor-supported updates or mitigations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T04:16:50.177Z and has not been modified since then.