Flow Payment Plugin for WordPress Reflected Cross-Site Scripting Vulnerability

Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Flow Payment plugin for WordPress, specifically in version 3.0.8. The issue occurs on the WooCommerce checkout page, where the plugin improperly handles the error_message GET parameter during order cancellations. This parameter is passed directly to the wc_add_notice() function without adequate input sanitization or output escaping, leaving it vulnerable to JavaScript payloads. An unauthenticated attacker can exploit this by crafting a URL with a malicious payload in the error_message parameter. When a victim with an active WooCommerce checkout session clicks the link, the payload executes in their browser, originating from the WordPress site.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious JavaScript that executes in the context of the user's browser.

Remediation

Users are advised to update the Flow Payment plugin for WordPress to version 3.0.9 or later, where this vulnerability has been addressed.

Added: Jul 18, 2026, 9:23 PM
Updated: Jul 18, 2026, 9:23 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
1.7
exploitability
5.8
remediation
0.0
relevance
9.9
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.