CVE-2026-1295 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the 'Stripe Payments by Buy Now Plus' WordPress plugin developed by supercleanse. The vulnerability arises from insufficient sanitization and escaping of input data in the 'buynowplus' shortcode attributes, which are used to embed Stripe payment buttons on WordPress pages. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into the shortcode attributes. Because the injected scripts are stored persistently in the WordPress database and rendered on pages viewed by other users, the malicious code executes in the context of any visitor accessing the compromised page. This can lead to theft of cookies or session tokens, unauthorized actions on behalf of users, or redirection to malicious sites. The vulnerability affects all versions up to and including 1.0.2 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or exploit code are currently publicly available, but the risk remains significant for sites that allow contributors to add or edit shortcode content. The vulnerability is particularly concerning for multi-user WordPress environments where contributors can add content but do not have full administrative rights, as it bypasses typical privilege boundaries. The stored nature of the XSS increases its impact compared to reflected XSS, as the malicious payload persists and affects multiple users.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of user sessions and data on WordPress sites using the affected plugin. Attackers with contributor access could inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, credential theft, defacement, or distribution of malware. This could damage organizational reputation, lead to data breaches, and cause compliance issues under GDPR due to unauthorized access or data leakage. E-commerce sites relying on Stripe payments via this plugin may face disruption or loss of customer trust. Since the attack requires authenticated contributor access, insider threats or compromised contributor accounts increase risk. The vulnerability could also be leveraged as a foothold for further attacks within the network if administrative users are targeted. Given the widespread use of WordPress in Europe and the popularity of Stripe for payments, the potential impact is significant for small to medium enterprises and larger organizations using this plugin for online transactions.

Organizations should immediately update the 'Stripe Payments by Buy Now Plus' plugin to a version that addresses this vulnerability once available. Until a patch is released, restrict contributor-level permissions to trusted users only and audit existing shortcode content for suspicious scripts. Implement Web Application Firewall (WAF) rules to detect and block malicious script payloads in shortcode attributes. Enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly monitor logs for unusual activity related to shortcode usage or contributor edits. Educate content contributors about the risks of injecting untrusted code. Consider disabling or replacing the plugin with alternative payment solutions that follow secure coding practices. Conduct periodic security assessments of WordPress plugins and user roles to minimize attack surface. Finally, ensure that backups and incident response plans are in place to quickly recover from potential exploitation.