Attack Vectors

Payment Page | Payment Form for Stripe (slug: payment-page) versions 1.4.6 and earlier are affected by a Medium-severity Stored Cross-Site Scripting (XSS) issue tracked as CVE-2026-0751 (CVSS 6.4).

This issue can be exploited by an authenticated WordPress user with Author-level permissions (or higher). An attacker can insert malicious script payloads through the ‘pricing_plan_select_text_font_family’ parameter, which can then be stored and executed later when other users view the affected page(s).

From a business-risk perspective, the most realistic scenarios involve: (1) a compromised Author account, (2) an over-permissioned marketing/editorial user who should not have Author rights, or (3) insider misuse.

Security Weakness

The vulnerability is caused by insufficient input sanitization and output escaping for the ‘pricing_plan_select_text_font_family’ parameter. In practical terms, this means untrusted input can be saved in WordPress content/settings and later rendered in a way that allows browser-executed scripts to run.

Because this is stored XSS, the malicious code can persist until it is found and removed, increasing the likelihood of repeated exposure across internal teams (marketing, finance, compliance) and potentially customers, depending on where the affected payment page is used.

Technical or Business Impacts

Although rated Medium, stored XSS in a payment-related context can create disproportionate business risk. Potential impacts include: session or account compromise for users who view the injected page, unauthorized actions performed in the background under a victim’s logged-in session, and manipulation of on-page content that can mislead visitors.

For executives and compliance teams, the bigger concerns are often secondary effects: reputational damage if a payment page is altered, loss of lead/customer trust, higher support and incident-response costs, and possible compliance reporting obligations depending on what data is exposed or what actions are triggered.

Remediation: Update Payment Page | Payment Form for Stripe to version 1.4.7 or newer (patched). As an additional risk-reduction measure, review which users have Author+ permissions, enforce strong authentication for those accounts, and consider auditing recent changes to pages/settings associated with the plugin.

Similar Attacks

Stored XSS has been widely used in real-world web compromises to hijack sessions, manipulate content, and pivot into broader administrative access. Examples and background reading:

OWASP: Cross-Site Scripting (XSS)
CISA: Understanding and Mitigating Web-Based Attacks (includes XSS)
Wordfence Blog: WordPress vulnerability and attack reporting (real-world cases)