CVE-2026-6858 Transbank CVE debrief

Who should care

Administrators and security teams responsible for WordPress sites using the Transbank Webpay plugin should be aware of this vulnerability. Specifically, those with sites using plugin versions before 1.14.0 are at risk and should take immediate action to patch or mitigate the vulnerability.

Technical summary

The Transbank Webpay WordPress plugin before 1.14.0 does not properly sanitize and escape logs for display. This oversight allows unauthenticated users to inject malicious scripts (Stored XSS) that can be executed by logged-in administrators when they view the logs. The vulnerability's CVSS score and severity are not provided, but its potential impact on WordPress sites using the affected plugin version is significant.

Defensive priority

High priority due to potential for unauthenticated Stored XSS attacks against administrators.

Recommended defensive actions

• Update the Transbank Webpay WordPress plugin to version 1.14.0 or later.
• Review logs for potential malicious activity.
• Implement additional monitoring for suspicious administrator actions.
• Consider temporarily disabling the plugin if immediate patching is not possible.
• Verify the plugin's configuration and ensure proper logging practices.

Evidence notes

The CVE-2026-6858 record indicates a Stored XSS vulnerability in the Transbank Webpay WordPress plugin before 1.14.0. The vulnerability allows unauthenticated users to perform Stored XSS attacks against logged-in administrators. Evidence is based on a single source reference from WPScan (https://wpscan.com/vulnerability/81035d75-81a5-486a-a9fb-b0d1e0befe3c/). Defenders should verify the plugin version and update to 1.14.0 or later.

Official resources