WordPress Security Bulletin: Payment Page | Payment Form for Stripe Plugin Vulnerability (CVE-2026-0751)

On this page

Security Alert Summary

The Payment Page | Payment Form for Stripe WordPress plugin contains a stored Cross-Site Scripting (XSS) vulnerability. An authenticated user with Author-level permissions or higher can inject JavaScript via the pricing_plan_select_text_font_family parameter. Injected scripts can execute when other users view the affected page.


CVE Details

  • CVE ID: CVE-2026-0751
  • Affected plugin / component: The Payment Page | Payment Form for Stripe plugin for WordPress (as stated in the CVE description)
  • Affected versions: All versions up to, and including, 1.4.6
  • Published: February 14, 2026 at 7:16:09 AM UTC
  • Last modified: February 14, 2026 at 7:16:09 AM UTC
  • CVSS v3.1: Base score 6.4, MEDIUM — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: Requires an authenticated attacker with low privileges (PR:L) — described as Author-level access and above; user interaction not required (UI:N)
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
  • CWE / weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting)

Technical Details

The issue is a stored Cross-Site Scripting vulnerability caused by insufficient input sanitization and output escaping for the pricing_plan_select_text_font_family parameter. According to the provided references, the problematic code is reachable in PaymentForm.php (see the referenced file and line).

An authenticated user with Author-level permissions or higher can supply malicious input for that parameter, which is then stored and later rendered in pages without proper escaping. When another user (or the same user) views a page containing the injected content, the browser executes the injected script. The CVE description and references identify the parameter and the file as the injection point; no additional functions or endpoints are named in the CVE entry.


How This Could Impact Your Website

Consider a site where multiple people have different roles: a site owner (administrator), internal staff (editors), and external contributors (authors). An external contributor or a staff member with Author-level access could add or modify content that includes a crafted value for pricing_plan_select_text_font_family. When other users view the affected page, the injected script could run in their browsers.

Practical consequences consistent with the reported impacts include exposure of low-sensitivity data visible to the page (such as email addresses displayed on the page), manipulation of page content for phishing or to deceive users, and increased risk of targeted social-engineering attacks against staff or administrators. Availability impact is not indicated by the CVE.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Restrict who can create or edit content: review and reduce unnecessary user roles, especially Authors and Contributors.
  • Enforce strong passwords and enable two-factor authentication for Editors and Administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual behavior, such as unexpected content changes or posts containing suspicious HTML/JS.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References