Description
The ThemeMakers Stripe Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'stripe' shortcode in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-02-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Plugin
AI Analysis

Impact

The ThemeMakers Stripe Checkout WordPress plugin is vulnerable to stored cross‑site scripting through its "stripe" shortcode. Improper input sanitization and output escaping allow an authenticated user with Contributor‑level or higher permissions to embed arbitrary script code. When a user accesses a page containing the malicious shortcode, the injected script executes in the victim’s browser, potentially leading to session hijack, credential theft, defacement, or other malicious behaviors. This flaw corresponds to CWE‑79, a classic reflected or stored XSS weakness.

Affected Systems

All installations of the ThemeMakers Stripe Checkout plugin for WordPress with versions up to and including 1.0.1 are affected. The plugin is available on WordPress.com and self‑hosted WordPress sites, and it may appear as part of themes or theme‑marketplace bundles.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate‑to‑high severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation. The flaw is not listed in the CISA KEV catalog. Attackers must first obtain contributor or higher privileges on the site, then add or edit a page that uses the vulnerable shortcode. Once installed, the injected scripts will execute for all visitors to that page, making it a persistent threat for sites that have not patched or mitigated the vulnerability.

Generated by OpenCVE AI on April 20, 2026 at 23:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ThemeMakers Stripe Checkout plugin to version 1.0.2 or newer to receive the vendor’s fix.
  • If an upgrade is not immediately possible, strip the "stripe" shortcode from all posts and pages or disable its execution engine until the patch is applied.
  • Ensure that only trusted administrators have Contributor or higher roles; apply least‑privilege principles to restrict who can edit content containing the shortcode.

Generated by OpenCVE AI on April 20, 2026 at 23:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5117 The ThemeMakers Stripe Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'stripe' shortcode in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 11 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Thememakers
Thememakers stripe Checkout
CPEs cpe:2.3:a:thememakers:stripe_checkout:*:*:*:*:*:wordpress:*:*
Vendors & Products Thememakers
Thememakers stripe Checkout

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Feb 2025 08:30:00 +0000

Type Values Removed Values Added
Description The ThemeMakers Stripe Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'stripe' shortcode in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ThemeMakers Stripe Checkout <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Thememakers Stripe Checkout
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:55.884Z

Reserved: 2025-02-25T11:29:32.963Z

Link: CVE-2025-1690

cve-icon Vulnrichment

Updated: 2025-02-27T14:37:25.126Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-27T09:15:10.697

Modified: 2025-03-11T15:59:35.800

Link: CVE-2025-1690

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:00:13Z

Weaknesses