Description
The EPay.bg Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'epay' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The EPay.bg Payments plugin for WordPress contains a stored cross‑site scripting flaw in the 'epay' shortcode. Unsanitized and unescaped attributes supplied by users allow malicious scripts to be embedded in the content of pages created or edited within the plugin. When anyone visits a page that displays the shortcode, the injected script runs in the victim’s browser, potentially stealing session data, modifying the page, or redirecting to phishing sites. The weakness is a classic input validation failure (CWE‑79).

Affected Systems

WordPress sites using the EPay.bg Payments plugin version 0.1 or earlier are affected. The vendor of the plugin is Vloo, and the affected product is the EPay.bg Payments plugin, all releases up to and including 0.1. There is no newer version indicated in the available references, so any site running this version is vulnerable.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium‑to‑high severity. The EPSS value is below 1 %, meaning that the likelihood of exploitation is currently low but not negligible. The vulnerability is not listed in CISA’s KEV catalog. It requires the attacker to have at least contributor‑level access to the site, which is an authenticated privilege. Once in, the attacker can insert scripts that execute in the context of other users who view the affected content, enabling data theft and defacement scenarios. The attack vector is therefore an authenticated web application misuse that exploits improper input handling.

Generated by OpenCVE AI on April 21, 2026 at 03:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the EPay.bg Payments plugin to the latest available release, if one exists, to incorporate the vendor’s fix.
  • If an update is not available, remove or edit the 'epay' shortcode to eliminate the vulnerable attributes, or replace it with a sanitized version that properly escapes user input.
  • Restrict contributor and higher roles from inserting or editing the 'epay' shortcode, or implement additional server‑side validation to sanitize any attributes supplied to the shortcode.

Generated by OpenCVE AI on April 21, 2026 at 03:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21943 The EPay.bg Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'epay' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 21 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 19 Jul 2025 02:30:00 +0000

Type Values Removed Values Added
Description The EPay.bg Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'epay' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title EPay.bg Payments <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:03.411Z

Reserved: 2025-07-14T17:44:15.480Z

Link: CVE-2025-7653

cve-icon Vulnrichment

Updated: 2025-07-21T16:57:19.803Z

cve-icon NVD

Status : Deferred

Published: 2025-07-19T03:15:23.050

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses