CVE-2026-0751 in Payment Page Form for Stripe Plugin
Summary
by MITRE • 02/14/2026
The Payment Page | Payment Form for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pricing_plan_select_text_font_family' parameter in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified as CVE-2026-0751 affects the Payment Page | Payment Form for Stripe plugin for WordPress, a widely used payment processing solution that integrates seamlessly with the Stripe payment gateway. This plugin enables WordPress site administrators to create customizable payment forms and pages for accepting online payments. The affected version range includes all releases up to and including 1.4.6, making it a significant concern for WordPress installations that rely on this payment processing functionality. The vulnerability resides within the plugin's handling of user input parameters, specifically the 'pricing_plan_select_text_font_family' field that controls the typography of payment plan selection elements on the payment page.
The technical flaw manifests as a stored cross-site scripting vulnerability that stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. When an authenticated attacker with Author-level privileges or higher submits malicious input through the 'pricing_plan_select_text_font_family' parameter, the system fails to properly validate or sanitize this input before storing it in the database. This stored malicious content then gets rendered back to users when they access pages containing the affected payment form elements. The vulnerability classification aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws, and represents a critical weakness in input validation and output encoding practices. The stored nature of this XSS vulnerability means that the malicious scripts persist in the database and execute automatically whenever affected pages are loaded by any user, including administrators and regular visitors.
The operational impact of this vulnerability is substantial, as it provides authenticated attackers with a persistent means of executing arbitrary web scripts within the context of affected WordPress sites. Attackers with Author-level access can leverage this vulnerability to perform various malicious activities including credential theft, session hijacking, data exfiltration, and modification of website content. The attack vector requires only a single authenticated session with sufficient privileges, making it particularly dangerous for sites where authors have access to plugin configuration interfaces. This vulnerability essentially transforms the payment form plugin into a potential attack vector for broader compromise of the WordPress installation, potentially leading to full site takeover, data breaches, or the deployment of additional malware. The threat is amplified by the fact that payment pages often contain sensitive user information, making the attack surface particularly valuable for cybercriminals.
Mitigation strategies for CVE-2026-0751 should prioritize immediate plugin updates to versions that address the identified sanitization and escaping deficiencies. Site administrators must ensure that all users with Author-level privileges or higher are properly authenticated and that access controls are maintained to prevent unauthorized modification of plugin settings. The implementation of additional security measures such as web application firewalls and content security policies can provide defense-in-depth protection against exploitation attempts. Regular security audits of WordPress plugins should include verification of input validation and output escaping mechanisms, particularly for parameters that influence user-facing content. Organizations should also implement monitoring systems to detect unusual modifications to plugin configurations and maintain regular backups to facilitate rapid recovery in case of successful exploitation. The vulnerability demonstrates the critical importance of proper input validation and output escaping as fundamental security practices, aligning with ATT&CK technique T1566 for credential access and T1059 for command and scripting interpreter usage.