The Payment Page | Payment Form for Stripe plugin for WordPress is vulnerable to stored cross‑site scripting due to insufficient sanitization of the 'pricing_plan_select_text_font_family' field. An authenticated attacker with Author or higher privileges can inject arbitrary JavaScript that is persisted in the plugin configuration and executed whenever visitors load the affected payment page. This stored XSS can lead to session hijacking, cookie theft, defacement, or phishing attacks against all users who view the injected page, making it a critical client‑side injection flaw (CWE‑79).

Affected systems include all installations of the Payment Page | Payment Form for Stripe plugin authored by brandonfire, with version 1.4.0 through 1.4.6 inclusive. No higher versions are listed, implying that any site running one of these releases is vulnerable. The vulnerability resides in the form handling code located at line 310 of PaymentForm.php, as referenced in the plugin's code repository.

The CVSS score is 6.4, indicating moderate severity, while the EPSS probability is below 1%, suggesting a low likelihood of exploitation at present. The vulnerability is not listed in KEV. Exploitation requires the attacker to possess Author or higher permissions to modify the payment form, after which the injected script is delivered to all visitors of the page. The narrow attack vector—authenticated with elevated role—limits initial access, but once the script is in place it propagates automatically, so the overall risk is moderate but potentially high if an attacker gains the necessary privileges.