We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Express Payment For Stripe Plugin Vulnerability (CVE-2026-8893)

Nick Paliughi
On this page

Security Alert Summary

The Express Payment For Stripe plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the handling of the type attribute of the [stripe-express] shortcode. Insufficient input sanitization and missing output escaping allow authenticated users with contributor-level access or higher to inject scripts that will execute when an injected page is viewed.

CVE Details

  • CVE ID: CVE-2026-8893
  • Affected component: Express Payment For Stripe plugin for WordPress
  • Affected versions: versions up to, and including, 1.28.0
  • Published: June 6, 2026 at 12:16 AM UTC
  • Last modified: June 6, 2026 at 12:16 AM UTC
  • CVSS v3.1: Base Score 6.4, Severity MEDIUM, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: Authentication required – attacker must be authenticated with contributor-level access or higher; CVSS privileges required: LOW; user interaction: NONE
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
  • Weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting)

Technical Details

This vulnerability is a stored cross-site scripting (XSS) issue in the plugin’s shortcode handling. The plugin concatenates the value of the type attribute from the [stripe-express] shortcode directly into an HTML attribute in the rendered output within the register_shortcode() function without passing the value through an escaping function such as esc_attr(). Because the attribute value is not sanitized or escaped, an authenticated user with contributor-level access or higher can supply input that includes executable script content.

The injected script is stored as part of page content and will execute in the context of any user who views the injected page. The vulnerability arises from missing input sanitization and missing output escaping on a shortcode attribute that is rendered into an HTML attribute.

How This Could Impact Your Website

Consider a typical small business site with a site owner, internal content editors, and an external contractor who contributes posts. An attacker who can log in with contributor-level access could add a malicious payload via the [stripe-express] shortcode’s type attribute while creating or editing content. When other users visit the affected page, the injected script could run in their browsers.

  • Exposure of internal user information: the injected script could access visible data such as user display names and email addresses shown on pages, increasing the risk of targeted phishing.
  • Targeted social engineering: attackers could craft pages that harvest information or present convincing fake prompts to editors or managers.
  • Integrity concerns: content displayed to visitors or staff could be altered in the browser, potentially misleading users or disrupting workflows.

Availability is not indicated as affected by this vulnerability in the CVSS data. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributors and other low-privilege roles that can create or edit content.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce attack surface.
  • Monitor site activity and content changes for unusual behavior or unexpected shortcode parameters.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Admin Columns Plugin Vulnerability (CVE-2026-7654)
Next Post
Simple SEO Slideshow Plugin Vulnerability (CVE-2026-8900)