Stored Cross-Site Scripting Vulnerability in ThemeMakers Stripe Checkout for WordPress
CVE-2025-1690

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Thememakers Stripe Checkout
Vendor: CVE Published:; 27 February 2025

What is CVE-2025-1690?

The ThemeMakers Stripe Checkout plugin for WordPress is exposed to a Stored Cross-Site Scripting vulnerability. This issue arises from inadequate input sanitization and output escaping for attributes supplied by users, specifically in the 'stripe' shortcode. Authenticated attackers with contributor-level permissions can exploit this vulnerability to inject malicious web scripts into pages. When these pages are accessed by users, the scripts will execute, compromising site integrity and potentially leading to data theft or further attacks.

Affected Version(s)

ThemeMakers Stripe Checkout * <= 1.0.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/car-dealer-automotive-wordpr...

https://github.com/ThemeMakers/tmm_stripe_checkout/compar...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 27, 2025
Vulnerability Reserved
Feb 25, 2025

Credit

István Márton