The Accept Stripe Payments Using Contact Form 7 plugin contains a reflected cross‑site scripting vulnerability that arises from insufficient input sanitization and output escaping when the failure_message parameter is processed. An unauthenticated attacker can inject arbitrary scripts into page output by submitting a crafted value, and those scripts will execute whenever a user views the page or follows a link that triggers the failure_message response. This flaw enables attackers to deface the site, steal session cookies, or phish users, thereby compromising confidentiality, integrity, and potentially availability of the affected site.

Affecting the Zealopensource Accept Stripe Payments Using Contact Form 7 plugin for WordPress, all releases up to and including version 3.1 are vulnerable. The issue is tied to the failure_message field processing in the plugin code.

The CVSS base score is 6.1, indicating a moderate severity. The EPSS score of <1% suggests that exploitation is currently considered unlikely, and the vulnerability is not listed in the CISA KEV catalog. The attack vector typically requires the attacker to lure a user into clicking a malicious link that embeds an crafted failure_message payload, leading to script execution within the victim’s browser. Monitoring of the plugin’s origin, version, and potential input vectors is advised due to the user‑involved nature of the exploit.