Stored Cross-Site Scripting in Express Payment For Stripe Plugin by WordPress
CVE-2026-8893
6.4MEDIUM
What is CVE-2026-8893?
The Express Payment For Stripe plugin for WordPress has a serious vulnerability that allows stored cross-site scripting (XSS) attacks. The issue arises from inadequate input sanitization and output escaping associated with the 'type' attribute of the [stripe-express] shortcode. This vulnerability is present in versions up to and including 1.28.0. Authenticated attackers with contributor-level access or higher can exploit this flaw to inject malicious web scripts that execute whenever a user accesses the affected pages. This poses significant risks to website integrity and user security.
Affected Version(s)
Express Payment For Stripe 0 <= 1.28.0