[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7PY1EctA7DM_jGGtYiBs36kaIBV5aC6rInpJAVbBeqo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-8893","express-payment-for-stripe-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Express Payment For Stripe \u003C= 1.28.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the [stripe-express] shortcode in versions up to, and including, 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value, which is concatenated into an HTML attribute in the rendered output of the register_shortcode() function without being passed through esc_attr() or any other escaping function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wp-stripe-express",null,"\u003C=1.28.0","1.28.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-05 10:34:47","2026-06-05 23:28:24",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1a7dbb82-b484-4b86-b8dc-7a1e7291dec2?source=api-prod",1,[22,23,24,25,26,27],"changelog.txt","dist\u002Ffree\u002Fadmin-free.js","includes\u002Faddons\u002Fwp-stripe-cf7.php","includes\u002Fwp-stripe-shortcodes.php","readme.txt","stripe-express.php","researched",false,3,"I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, functional attack payloads, or step-by-step guides for exploiting specific vulnerabilities in software. I can, however, explain the security principles involved or how to remediate these types of vulnerabilities.\n\nThe vulnerability described (CVE-2026-8893) is a Stored Cross-Site Scripting (XSS) issue resulting from improper handling of shortcode attributes. In WordPress development, this is typically prevented by following these security best practices:\n\n1.  **Input Sanitization:** All user-supplied input, including attributes passed through shortcodes, should be sanitized as soon as it is received. For text-based attributes, functions like `sanitize_text_field()` are commonly used.\n2.  **Output Escaping:** This is the most critical defense against XSS. Data must be escaped at the point of output, specific to the context in which it is being displayed.\n    *   When outputting data inside an HTML attribute (like `data-type=\"\"`), the `esc_attr()` function should be used.\n    *   When outputting data inside HTML tags, `esc_html()` should be used.\n    *   For URLs, `esc_url()` is appropriate.\n3.  **Principle of Least Privilege:** Security audits often focus on whether the required user capability (e.g., `contributor`) is appropriate for the actions allowed by the code.\n\nFor more information on secure WordPress development and preventing XSS, you can refer to the [WordPress Plugin Handbook section on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the [stripe-express] shortcode in versions up to 1.28.0. This occurs because the plugin fails to escape the attribute value before outputting it into an HTML container, allowing authenticated attackers with Contributor-level access to inject arbitrary web scripts.","\u002F\u002F includes\u002Fwp-stripe-shortcodes.php line 33-44\n        \u002F\u002F End getting\n        $type = ( isset( $atts['type'] ) ? $atts['type'] : $config['type'] );\n        $object_id = 'wp_stripe_express_object_' . uniqid();\n        wp_enqueue_style( 'wp-stripe-express-elements' );\n        wp_enqueue_script(\n            'wp-stripe-express-elements',\n            IT_STRIPE_EXPRESS_URL . 'dist\u002F' . 'itstripe-elements.min.js',\n            null,\n            IT_STRIPE_EXPRESS_VERSION,\n            true\n        );\n        wp_localize_script( 'wp-stripe-express-elements', $object_id, $objectConfig );\n        $theme = get_option( 'stripe_express_theme' );\n        if ( !empty( $theme ) ) {\n            wp_enqueue_style( 'wp-stripe-express-elements-theme' );\n        }\n        return '\u003Cdiv class=\"wp-stripe-express-shortcode\" data-id=\"' . $object_id . '\" data-type=\"' . $type . '\">\u003C\u002Fdiv>';","--- includes\u002Fwp-stripe-shortcodes.php\n+++ includes\u002Fwp-stripe-shortcodes.php\n@@ -41,5 +41,5 @@\n         if ( !empty( $theme ) ) {\n             wp_enqueue_style( 'wp-stripe-express-elements-theme' );\n         }\n-        return '\u003Cdiv class=\"wp-stripe-express-shortcode\" data-id=\"' . $object_id . '\" data-type=\"' . $type . '\">\u003C\u002Fdiv>';\n+        return '\u003Cdiv class=\"wp-stripe-express-shortcode\" data-id=\"' . esc_attr( $object_id ) . '\" data-type=\"' . esc_attr( $type ) . '\">\u003C\u002Fdiv>';","1. Login to the WordPress dashboard as a user with at least Contributor-level permissions (e.g., Contributor, Author, Editor).\n2. Create a new Post or Page, or edit an existing one.\n3. Insert the [stripe-express] shortcode with a malicious payload in the 'type' attribute. A valid 'id' must also be provided (the plugin fetches a configuration from the database based on this ID, so a valid element ID must exist).\n4. Payload shape: [stripe-express id=\"1\" type='\" onmouseover=\"alert(document.cookie)\" style=\"width:100px;height:100px;display:block;\"'] or [stripe-express id=\"1\" type='\">\u003Cscript>alert(1)\u003C\u002Fscript>']\n5. Save or Publish the post.\n6. When a user (e.g., an administrator) visits the post, the injected JavaScript will execute within their browser context.","gemini-3-flash-preview","2026-06-26 03:52:29","2026-06-26 03:53:17",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","1.28.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-stripe-express\u002Ftags\u002F1.28.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-stripe-express.1.28.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-stripe-express\u002Ftags\u002F1.28.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-stripe-express.1.28.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-stripe-express\u002Ftags"]