CVE-2026-8893: Stored XSS in Express Payment For Stripe WordPress Plugin
A stored cross-site scripting (XSS) vulnerability exists in the Express Payment For Stripe WordPress plugin up to version 1.28.0. Authenticated users with contributor-level permissions or higher can embed malicious scripts into pages using the [stripe-express] shortcode. These scripts execute in the browsers of anyone viewing the affected page, potentially allowing attackers to steal session cookies, redirect users, or perform actions on their behalf. The vulnerability stems from the plugin failing to properly escape shortcode attribute values before rendering them in HTML.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the [stripe-express] shortcode in versions up to, and including, 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value, which is concatenated into an HTML attribute in the rendered output of the register_shortcode() function without being passed through esc_attr() or any other escaping function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the register_shortcode() function of the Express Payment For Stripe plugin. The 'type' attribute of the [stripe-express] shortcode is concatenated directly into an HTML attribute without undergoing proper escaping via esc_attr() or equivalent sanitization. This allows authenticated attackers with contributor-level access (or above) to inject arbitrary JavaScript. The malicious payload persists in the database as part of the post content, making this a stored XSS attack rather than a reflected one. Each page view triggers script execution in visitor browsers, creating an ongoing attack surface.
Business impact
Organizations using this plugin on client-facing or internal WordPress sites face compromised user sessions and potential data exfiltration. Attackers can harvest authentication tokens, capture form submissions, deface page content, or redirect users to malicious domains. If the WordPress installation manages payments or sensitive customer data, the impact scales significantly. Remediation requires immediate patching and audit of existing content for injected payloads, as the vulnerability requires database-level cleanup in addition to code fixes.
Affected systems
WordPress installations running the Express Payment For Stripe plugin at version 1.28.0 or earlier are vulnerable. The attack vector requires authenticated access at the contributor level or above, meaning staff accounts, authors, and editors are potential threat actors. Sites with permissive user role management or compromised staff accounts face higher risk. WordPress multisite installations may see lateral risk if a single compromised account can inject content across multiple sites.
Exploitability
Exploitability is moderate. While the vulnerability requires authenticated access (not unauthenticated), contributor-level permissions are relatively common in WordPress environments. Attack complexity is low—an attacker simply needs to create or edit a page using the vulnerable shortcode syntax with JavaScript payload. No user interaction is required for the script to execute once injected; it runs automatically for every page visitor. The CVSS score of 6.4 (Medium) reflects the authentication requirement offset by the widespread potential impact.
Remediation
Update the Express Payment For Stripe plugin to a version addressing CVE-2026-8893 (verify the specific patched version against the vendor's official advisory). After patching, audit all pages, posts, and custom post types for suspicious [stripe-express] shortcode attributes. Use WordPress search tools or database queries to identify and remove injected payloads. Consider temporarily restricting contributor-level content editing to trusted staff until the audit is complete. Review user access logs to identify which accounts created suspicious content.
Patch guidance
Apply the latest available update to the Express Payment For Stripe plugin immediately. Patches addressing this vulnerability should include proper use of esc_attr() or sanitize_text_field() on the 'type' attribute before output. Verify the patch version against the official plugin repository or vendor advisory to confirm the fix addresses CVE-2026-8893. Test the patched version in a staging environment before deploying to production to ensure no conflicts with other plugins or site functionality.
Detection guidance
Search your WordPress database for [stripe-express] shortcodes containing suspicious characters or JavaScript syntax in the 'type' attribute (e.g., onload, onclick, script tags, or encoded payloads). Review WordPress logs and audit trails for post/page edits by contributor-level accounts around the time of potential compromise. Monitor your Web Application Firewall or server logs for unusual POST requests to wp-admin/post.php with encoded script payloads. Conduct a content audit of all published pages to identify anomalous shortcode usage or attributes that deviate from legitimate Stripe payment configurations.
Why prioritize this
Although the CVSS score is Medium (6.4), this vulnerability warrants prompt attention because stored XSS vulnerabilities have persistent, broad impact. Every site visitor is at risk of compromise, not just one user. The authentication requirement does not eliminate risk if staff accounts are compromised or if insider threats exist. The financial integration (Stripe payments) increases the attractiveness of the target. Update availability and relatively low attack complexity make this a practical exploit target for threat actors with minimal access.
Risk score, explained
The CVSS 3.1 score of 6.4 (Medium) reflects: (1) Network-based attack vector with low attack complexity, (2) requirement for low-privilege authenticated access, (3) changed scope (scripts execute in other users' browsers), and (4) limited confidentiality and integrity impact (no availability impact). The score would be higher if the vulnerability were unauthenticated or required no user interaction; it is lower than Critical/High because exploitation requires prior authenticated access. In practice, organizations should treat this as higher priority than the numeric score suggests due to the persistence and breadth of stored XSS.
Frequently asked questions
Can unauthenticated users exploit this vulnerability?
No. The vulnerability requires authenticated access at the contributor level or above. Attackers must have a WordPress user account with permissions to create or edit pages/posts. This limits the immediate threat to internal staff or compromised user accounts, but does not eliminate risk if those accounts are breached.
Will updating the plugin remove existing malicious payloads from my site?
No. Updating the plugin code prevents *new* injected payloads from executing, but existing stored XSS payloads in post content remain in the database. You must manually audit and remove any suspicious [stripe-express] shortcodes from your pages and posts after patching. Use the plugin's search functionality or database queries to locate and review suspicious content.
How do I know if my site has been exploited?
Search your WordPress admin interface and database for [stripe-express] shortcodes with unusual attributes or JavaScript syntax. Review post/page revision history and audit logs for edits by unexpected accounts. Check your server access logs for suspicious POST requests to wp-admin. Enable WordPress debug logging to capture any script execution errors that might indicate injection attempts. Consider using a security plugin to scan for known XSS patterns.
Does this affect my WordPress admin dashboard or only front-end pages?
Both. If a malicious shortcode is injected into a page or post, the stored script executes whenever *anyone*—admin or regular visitor—views that page. Administrators are not exempt. The scope marked as 'Changed' (S:C) in the CVSS vector means the attack can affect other users beyond just the one making the request.
This analysis is provided for informational purposes to support vulnerability management and patching decisions. SEC.co does not verify exploit availability, active exploitation in the wild, or real-world attack prevalence. Organizations should validate all patch versions against official vendor advisories before deployment. The CVSS score and vector are provided as-is from the source data; scoring methodologies may differ. No liability is accepted for decisions made based solely on this intelligence. Always conduct independent testing and threat modeling appropriate to your environment. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1