CVE-2026-1295 in Buy Now Plus Plugin
Summary
by MITRE • 01/28/2026
The Buy Now Plus – Buy Now buttons for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buynowplus' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/29/2026
The vulnerability identified as CVE-2026-1295 affects the Buy Now Plus – Buy Now buttons for Stripe plugin for WordPress, a widely used payment processing solution that enables merchants to integrate Stripe payment functionality into their WordPress sites. This plugin facilitates the creation of purchase buttons through shortcodes, making it a critical component in e-commerce operations. The vulnerability exists in all versions up to and including 1.0.2, representing a significant security risk for WordPress installations that rely on this plugin for transaction processing.
The technical flaw stems from insufficient input sanitization and output escaping mechanisms within the plugin's 'buynowplus' shortcode implementation. When administrators or contributors with appropriate privileges create or modify pages containing this shortcode, the plugin fails to properly validate or escape user-supplied attributes before rendering them in the HTML output. This weakness creates a stored cross-site scripting vulnerability that allows attackers to inject malicious JavaScript code into the plugin's shortcode parameters. The vulnerability is particularly concerning because it requires only Contributor-level access or higher, making it accessible to users who should normally have limited administrative capabilities.
The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with persistent access to the WordPress installation through the stored XSS vector. When authenticated users, including administrators, visit pages containing the maliciously injected shortcode, the stored scripts execute in their browsers, potentially leading to session hijacking, credential theft, or further exploitation of the WordPress environment. The vulnerability enables attackers to manipulate the plugin's functionality and potentially gain unauthorized access to sensitive payment information or customer data stored within the WordPress system.
This vulnerability aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws in web applications, and demonstrates a clear violation of secure coding practices regarding input validation and output escaping. From an ATT&CK framework perspective, this vulnerability maps to T1546.001 for 'System Scripting' and T1071.001 for 'Application Layer Protocol: Web Protocols', as it enables attackers to establish persistent script execution within the web application environment. The attack vector requires minimal privileges and leverages the legitimate functionality of the plugin, making it particularly dangerous as it can bypass many traditional security monitoring mechanisms that might not detect malicious activity within seemingly legitimate plugin operations.
Mitigation strategies should include immediate plugin updates to versions that address the input sanitization issues, implementing additional access controls for users who can modify shortcode content, and conducting thorough security audits of all installed plugins to identify similar vulnerabilities. Organizations should also implement web application firewalls and content security policies to provide additional layers of protection against cross-site scripting attacks. Regular security monitoring and user access reviews are essential to prevent unauthorized modifications to plugin configurations and to maintain the integrity of e-commerce transactions within WordPress environments.