MEDIUM 6.4

CVE-2021-47983: Stored XSS in Stripe Payments WordPress Plugin 2.0.39

The Stripe Payments WordPress plugin version 2.0.39 contains a stored cross-site scripting (XSS) vulnerability that allows logged-in attackers to inject malicious JavaScript code into plugin settings. When an administrator views these compromised settings, the injected script executes in their browser with full administrative privileges. This type of attack is particularly dangerous because the malicious code persists in the database and affects all administrators who access the settings page.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the AcceptStripePayments-settings[currency_code] parameter. Attackers can submit POST requests to /wp-admin/options.php with script payloads in the currency_code field to execute arbitrary JavaScript in administrator browsers when settings are viewed.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2021-47983 is a stored XSS vulnerability in Stripe Payments 2.0.39 resulting from improper input validation on the AcceptStripePayments-settings[currency_code] parameter. The vulnerability exists in the /wp-admin/options.php endpoint, where POST requests containing script payloads in the currency_code field are stored without adequate sanitization. Subsequently, when administrators load the plugin settings page, the stored payload executes in the context of the WordPress admin panel, bypassing Content Security Policy protections through the cross-site flag (S:C in the CVSS vector).

Business impact

While exploitation requires authenticated access, a compromised lower-privileged WordPress account (e.g., shop manager, editor) can inject malicious scripts that execute with administrator-level visibility. This enables attackers to harvest sensitive data, create rogue administrator accounts, modify payment configurations, or redirect transactions. For e-commerce sites processing payments via Stripe, this creates both compliance risk and direct revenue exposure.

Affected systems

Stripe Payments WordPress plugin version 2.0.39 is explicitly affected. Organizations running this plugin should verify their installed version immediately. Newer versions may address this issue; consult the plugin's changelog or security advisories for remediation guidance.

Exploitability

Exploitation requires an authenticated WordPress user account, making this a post-authentication attack. The CVSS score of 6.4 reflects the medium severity: while the barrier to initial access is low (compromised credentials are common), the impact is elevated due to the administrative context of execution. No user interaction is required once a request is crafted, and the attack leaves persistent artifacts in the database that affect multiple administrators.

Remediation

Immediately update Stripe Payments to a patched version. Verify against the official WordPress plugin repository or vendor security advisory for the minimum safe version. If immediate patching is not possible, restrict administrator and shop-manager-level account access to trusted personnel and monitor wp_options table modifications for suspicious currency_code entries.

Patch guidance

Check the Stripe Payments plugin page on WordPress.org for the latest available version. Review the changelog for security fixes related to input validation. Test patches in a staging environment before production deployment, as payment plugins are security-critical. If your hosting provider manages updates automatically, verify that this plugin receives timely patches.

Detection guidance

Audit wp_options table entries, specifically the AcceptStripePayments-settings option, for suspicious script tags or encoded payloads. Check WordPress admin audit logs for settings modifications by lower-privileged accounts. Monitor for unusual JavaScript execution in admin panel request/response cycles using browser developer tools or WAF logs. Implement database integrity monitoring to alert on changes to options containing serialized plugin configuration.

Why prioritize this

Although this vulnerability requires authenticated access, the confluence of factors—persistent storage, administrative execution context, payment system exposure, and ease of crafting malicious settings—warrants prompt patching. Organizations with shared WordPress environments or contractor access should prioritize this higher. The stored nature of the XSS means a single injection compromises all administrators indefinitely until the malicious option is removed.

Risk score, explained

The CVSS 3.1 score of 6.4 (MEDIUM) reflects authentication as a prerequisite (PR:L), but the cross-site impact scope (S:C) and confidentiality/integrity consequences (C:L/I:L) elevate the risk. The lack of availability impact (A:N) prevents a higher score. In practice, organizations should treat this as high-priority because it affects payment processing infrastructure and can lead to lateral privilege escalation or data theft.

Frequently asked questions

Does this vulnerability affect my site if I don't use the Stripe Payments plugin?

No. This vulnerability is specific to the Stripe Payments plugin version 2.0.39. If you use a different payment gateway or a newer version of this plugin, this particular issue does not apply. However, check your plugin versions against vendor advisories as a standard practice.

Can an unauthenticated attacker exploit this?

No. The CVSS vector explicitly requires PR:L (Low privilege), meaning the attacker must already have a WordPress account, such as a contributor, author, or shop manager role. However, if your WordPress installation has weak password policies or shared credentials, this barrier is effectively lower.

If I patch the plugin, do I need to clean up previously injected malicious code?

Yes. Patching prevents new injections but does not remove stored payloads from the wp_options table. After updating, query the database to inspect the AcceptStripePayments-settings option and remove any suspicious content. Verify that no administrator accounts created by the attacker remain in the wp_users table.

What if I can't patch immediately due to compatibility concerns?

Implement access controls: restrict wp-admin access by IP whitelist, enforce strong authentication (multi-factor if possible), and disable plugin settings pages for non-essential accounts. Monitor option modifications closely. However, this is a temporary measure—patching should be scheduled as soon as feasible.

This analysis is provided for informational purposes to support security decision-making. The vulnerability details, affected versions, and CVSS score are based on CVE-2021-47983 data. Organizations should verify patch availability and compatibility with their specific environment before deploying updates. No proof-of-concept or exploit code is provided. Always test patches in a non-production environment first. Consult the official Stripe Payments plugin repository and any vendor security advisories for authoritative remediation guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).