CVE-2026-0751 Overview
The Payment Page | Payment Form for Stripe plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the pricing_plan_select_text_font_family parameter. This vulnerability affects all versions up to and including 1.4.6 and stems from insufficient input sanitization and output escaping. Authenticated attackers with Author-level access or higher can exploit this flaw to inject arbitrary web scripts into pages, which execute whenever a user accesses the compromised page.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute in visitors' browsers, potentially leading to session hijacking, credential theft, and unauthorized actions on behalf of legitimate users.
Affected Products
- Payment Page | Payment Form for Stripe plugin for WordPress versions up to and including 1.4.6
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-0751 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-0751
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in the PaymentForm.php file at line 310, where the pricing_plan_select_text_font_family parameter is processed without adequate input validation and output encoding.
When an authenticated user with Author-level privileges or higher submits a maliciously crafted value for the font family parameter, the application stores this input directly in the database. Subsequently, when any user views a page containing the affected payment form, the stored malicious script executes within their browser context.
The vulnerability requires network access and low-privilege authentication to exploit. The scope is changed, meaning the vulnerability can affect resources beyond its security scope, impacting both confidentiality and integrity of the affected system.
Root Cause
The root cause is insufficient input sanitization and output escaping in the handling of the pricing_plan_select_text_font_family parameter within the Payment Page plugin. The vulnerable code path in PaymentForm.php fails to properly sanitize user-supplied input before storing it in the database and does not escape the output when rendering it on the page. This allows attackers to inject HTML and JavaScript code that persists across page loads.
Attack Vector
The attack vector is network-based, requiring the attacker to have authenticated access to a WordPress site with at least Author-level privileges. The attacker crafts a malicious payload containing JavaScript code within the font family parameter value. When this value is saved to the payment form configuration, it becomes stored in the WordPress database. Any subsequent visitor to a page containing the affected payment form will have the malicious script execute in their browser session.
The stored nature of this XSS vulnerability makes it particularly dangerous as it affects all users who view the compromised page, not just the attacker's session. Potential attack scenarios include stealing authentication cookies, redirecting users to phishing pages, or performing actions on behalf of authenticated administrators.
Detection Methods for CVE-2026-0751
Indicators of Compromise
- Unexpected JavaScript or HTML tags present in payment form configuration fields, particularly in font-related settings
- Anomalous database entries in WordPress options or post meta containing script tags or event handlers
- User reports of unexpected behavior, pop-ups, or redirects when viewing pages with payment forms
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in form submissions
- Monitor WordPress database for suspicious content in plugin configuration tables
- Review audit logs for Author-level users modifying payment form settings with unusual values
- Deploy browser-based Content Security Policy (CSP) headers to mitigate script injection impact
Monitoring Recommendations
- Enable WordPress activity logging to track changes to plugin settings by authenticated users
- Configure alerts for database modifications to payment form configuration fields
- Implement real-time monitoring for JavaScript execution anomalies on pages containing payment forms
- Conduct periodic security scans of WordPress installations to identify stored XSS payloads
How to Mitigate CVE-2026-0751
Immediate Actions Required
- Update the Payment Page | Payment Form for Stripe plugin to a version newer than 1.4.6 that includes security patches
- Review all existing payment form configurations for potentially malicious content in font family and related fields
- Audit Author-level and above user accounts for any suspicious activity or compromised credentials
- Implement Content Security Policy headers to reduce the impact of any stored XSS payloads
Patch Information
Site administrators should update the Payment Page | Payment Form for Stripe plugin to the latest available version that addresses this vulnerability. The fix involves proper input sanitization and output escaping for the pricing_plan_select_text_font_family parameter. Technical details about the vulnerable code can be found in the WordPress Plugin Code Reference. Additional vulnerability analysis is available from Wordfence Threat Intelligence.
Workarounds
- Temporarily restrict Author-level access to payment form configuration until the patch is applied
- Implement server-side input validation to strip HTML and JavaScript from font family parameters
- Deploy a Web Application Firewall with XSS filtering rules to block malicious payloads
- Consider temporarily disabling the payment form functionality if immediate patching is not possible
# WordPress CLI command to check plugin version
wp plugin list --name=payment-page --fields=name,version,update_version
# Update the plugin to the latest version
wp plugin update payment-page
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
