CVE-2026-0751 identifies a stored cross-site scripting vulnerability in the Payment Page | Payment Form for Stripe plugin for WordPress, developed by brandonfire. The vulnerability arises from improper neutralization of input during web page generation, specifically through the 'pricing_plan_select_text_font_family' parameter. This parameter lacks sufficient input sanitization and output escaping, allowing authenticated users with Author-level or higher privileges to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users without their consent. The vulnerability affects all plugin versions up to and including 1.4.6. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges at the Author level, no user interaction needed, and a scope change with partial confidentiality and integrity impacts but no availability impact. No public exploits are known at this time, but the vulnerability poses a significant risk in environments where multiple users have elevated privileges and interact with the plugin's payment pages. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations.

For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress sites, potentially compromising sensitive payment data and user credentials. Since the plugin handles payment forms integrated with Stripe, exploitation could facilitate theft of session tokens, redirection to phishing sites, or unauthorized transactions if attackers escalate privileges or harvest credentials. The impact is particularly critical for e-commerce businesses, financial services, and any organizations relying on this plugin for payment processing. The compromise of customer trust and regulatory repercussions under GDPR due to data leakage or unauthorized access are significant concerns. Additionally, the stored nature of the XSS means that multiple users can be affected over time, increasing the risk of widespread impact. The medium severity score reflects a moderate but tangible threat that could disrupt business operations and damage reputation if exploited.

European organizations should immediately audit their WordPress installations to identify the presence of the Payment Page | Payment Form for Stripe plugin and verify the version in use. Until an official patch is released, restrict Author-level and higher privileges to trusted personnel only, minimizing the risk of malicious input injection. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'pricing_plan_select_text_font_family' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly monitor logs and user activity for signs of exploitation attempts or anomalous behavior. Consider temporarily disabling or replacing the vulnerable plugin if feasible. Once a patch is available, apply it promptly. Additionally, educate site administrators about the risks of privilege escalation and the importance of input validation best practices.