The vulnerability is a reflected XSS in the Simple Stripe Checkout plugin caused by improper neutralization of user input before rendering it in a web page. Attackers can supply malicious scripts via query parameters or form data that are echoed unsanitized to a page. If executed in a user’s browser, the script runs with the same privileges as the site, allowing theft of cookies, session hijack, or other malicious actions. The weakness matches CWE‑79.

The plugin version 1.1.28 and earlier are affected. This includes all WordPress sites that have installed "Simple Stripe Checkout" from the Growniche developer before the 1.1.29 release (or newer). Any installation that has the plugin activated, regardless of who owns the site, is potentially vulnerable. The impact applies to all users who view pages rendered by the plugin.

With a CVSS score of 7.1 the vulnerability scores in the high range. The EPSS score of less than 1% indicates that usage of the exploit is expected to be low at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can craft a malicious link that, when visited by a user, injects JavaScript into the checkout page; no authentication or local exploitation is required. The simplest attack path is through a reflected XSS vector that requires only that the victim opens a crafted URL or is tricked into interacting with the plugin output.