CVE-2026-0751 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Payment Page | Payment Form for Stripe plugin for WordPress, developed by brandonfire. This vulnerability exists in all versions up to and including 1.4.6 due to insufficient sanitization and escaping of the 'pricing_plan_select_text_font_family' parameter. An attacker with Author-level or higher privileges can inject arbitrary JavaScript code into the plugin's payment pages. Because the malicious script is stored, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 score is 6.4, reflecting a medium severity with network attack vector, low complexity, privileges required (Author), no user interaction, and a scope change indicating that the vulnerability can affect components beyond the initially vulnerable module. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability primarily threatens the confidentiality and integrity of user data and site content, but does not affect availability. Since exploitation requires authenticated access, attackers must first compromise or have legitimate Author-level credentials on the WordPress site. This vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in plugins handling payment information.

The impact of CVE-2026-0751 can be significant for organizations using the affected plugin on WordPress sites, particularly those handling payment processing via Stripe. Successful exploitation allows attackers with Author-level access to inject persistent malicious scripts, which execute in the context of any user visiting the compromised page. This can lead to theft of sensitive information such as session cookies, personal data, or payment details, enabling further account takeover or fraudulent transactions. The integrity of the website content can be compromised, potentially damaging brand reputation and user trust. Although availability is not directly affected, the breach of confidentiality and integrity can have cascading effects including regulatory penalties, financial loss, and increased remediation costs. Since the vulnerability requires authenticated access, the risk is somewhat mitigated but remains serious in environments where multiple users have elevated privileges or where credential compromise is possible. Organizations with high volumes of e-commerce transactions or sensitive customer data are at greater risk. The vulnerability also poses a risk to site administrators and users who may be targeted for phishing or social engineering attacks leveraging the injected scripts.

To mitigate CVE-2026-0751, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of an official patch, administrators should restrict Author-level privileges to trusted users only and audit existing accounts for unnecessary elevated permissions. Implement Web Application Firewall (WAF) rules to detect and block malicious script injections targeting the vulnerable parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Conduct regular security reviews and code audits of plugins, especially those handling payment data. Consider temporarily disabling or replacing the vulnerable plugin with alternative payment solutions until a fix is released. Additionally, monitor logs for suspicious activity related to the 'pricing_plan_select_text_font_family' parameter and user actions at the Author privilege level. Educate users and administrators about the risks of XSS and the importance of credential security to reduce the likelihood of privilege abuse.