CVE-2026-57857
Flow Payment Plugin for WordPress Reflected Cross-Site Scripting via error_message Parameter
The Flow Payment plugin for WordPress (flow.cl) version 3.0.8 is vulnerable to reflected cross-site scripting on the WooCommerce checkout page. When the plugin handles an order cancellation, the error_message GET parameter is passed directly to wc_add_notice() in flowpayment-fl.php (lines 57-58) without input sanitization (for example sanitize_text_field()) or output escaping (for example esc_html()) before being rendered in the checkout notice HTML. An unauthenticated attacker can craft a URL containing a JavaScript payload in the error_message parameter (for example /checkout/?add-to-cart={product-id}&cancel_order=true&error_message={payload}); when a victim with an active WooCommerce checkout session follows the link, the payload executes in the victim's browser in the origin of the WordPress site.
| CWE | CWE-79 |
| Vendor | flow |
| Product | flow payment |
| Published | Jul 18, 2026 |
| Last Updated | Jul 18, 2026 |
Get instant alerts for flow flow payment
Be the first to know when new medium vulnerabilities affecting flow flow payment are published โ delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N