CVE-2026-1295 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin 'Stripe Payments by Buy Now Plus,' developed by supercleanse. This plugin facilitates Stripe credit card payments via 'Buy Now' buttons embedded using the 'buynowplus' shortcode. The vulnerability exists due to improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of shortcode attributes. Authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript code into pages by manipulating shortcode attributes. Because the malicious script is stored, it executes every time any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all plugin versions up to and including 1.0.2. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required (low), no user interaction, and a scope change with partial confidentiality and integrity impacts but no availability impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was publicly disclosed on January 28, 2026, with Wordfence as the assigner. Given the plugin's role in payment processing, exploitation could have significant consequences if leveraged in targeted attacks.

The impact of CVE-2026-1295 is primarily on the confidentiality and integrity of affected WordPress sites using the vulnerable plugin. An attacker with Contributor-level access can inject persistent malicious scripts, which execute in the browsers of any visitors to the compromised pages. This can lead to session hijacking, theft of sensitive user data such as payment information or personal details, unauthorized actions performed on behalf of users, and potential defacement or redirection to malicious sites. Since the plugin is related to payment processing, exploitation could undermine customer trust and lead to financial fraud or data breaches. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with multiple contributors or where accounts may be compromised. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the attacker’s privileges, increasing risk. Organizations relying on this plugin for e-commerce or payment processing may face reputational damage, regulatory penalties, and operational disruption if exploited.

To mitigate CVE-2026-1295, organizations should immediately update the Buy Now Plus Stripe Payments plugin to a patched version once available. In the absence of an official patch, administrators should restrict Contributor-level and higher permissions to trusted users only and audit existing user accounts for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'buynowplus' shortcode attributes. Employ Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of injected scripts. Regularly scan WordPress sites with security plugins capable of detecting stored XSS payloads. Educate site contributors about safe input practices and monitor logs for unusual shortcode usage. Consider temporarily disabling the plugin if the risk is unacceptable and no fix is available. Finally, maintain regular backups and incident response plans to quickly recover from potential compromises.