Description
WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the AcceptStripePayments-settings[currency_code] parameter. Attackers can submit POST requests to /wp-admin/options.php with script payloads in the currency_code field to execute arbitrary JavaScript in administrator browsers when settings are viewed.
Published: 2026-06-08
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Plugin Stripe Payments 2.0.39 stores malicious JavaScript in the currency_code setting, which is executed whenever an administrator views the options page. This stored cross‑site scripting can lead to session hijacking, credential theft, or the execution of further malicious actions within the admin context.

Affected Systems

The vulnerability exists in the WordPress plugin Accept Stripe Payments, version 2.0.39 and earlier. Administrators using this plugin are at risk, as the flaw is only triggered in the administrative interface.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. Attackers must be authenticated administrators who can submit POST requests to /wp-admin/options.php. Once the payload is stored, any administrator who then views the settings will have the malicious script executed in their browser. The exploit therefore requires privileged access but poses a significant risk to the integrity and confidentiality of administrative sessions.

Generated by OpenCVE AI on June 8, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Stripe Payments plugin to the latest version that removes the stored XSS flaw.
  • Restrict access to the options page to only trusted administrators and consider disabling the currency_code field if it is unnecessary.
  • Validate or sanitize the currency_code input on the server side to prevent script injection before storing the value.

Generated by OpenCVE AI on June 8, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the AcceptStripePayments-settings[currency_code] parameter. Attackers can submit POST requests to /wp-admin/options.php with script payloads in the currency_code field to execute arbitrary JavaScript in administrator browsers when settings are viewed.
Title WordPress Plugin Stripe Payments 2.0.39 Stored XSS via currency_code
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-08T18:23:49.626Z

Reserved: 2026-06-07T22:47:03.333Z

Link: CVE-2021-47983

cve-icon Vulnrichment

Updated: 2026-06-08T18:22:37.486Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T02:16:22.363

Modified: 2026-06-08T14:59:44.750

Link: CVE-2021-47983

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T03:30:16Z

Weaknesses