{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0751", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-08T19:56:40.354Z", "datePublished": "2026-02-14T06:42:26.021Z", "dateUpdated": "2026-04-08T16:34:29.417Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:29.417Z"}, "affected": [{"vendor": "brandonfire", "product": "Payment Page | Payment Form for Stripe", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Payment Page | Payment Form for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pricing_plan_select_text_font_family' parameter in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Payment Page | Payment Form for Stripe <= 1.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via 'pricing_plan_select_text_font_family' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0982cc3e-87d7-49d2-afa3-8c18355d7968?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/payment-page/trunk/app/PaymentForm.php#L310"}, {"url": "https://plugins.trac.wordpress.org/browser/payment-page/tags/1.4.6/app/PaymentForm.php#L310"}, {"url": "https://plugins.trac.wordpress.org/changeset/3464131/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-02-13T18:30:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T20:15:10.468839Z", "id": "CVE-2026-0751", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:15:18.817Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0751", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T20:15:10.468839Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:15:14.080Z"}}], "cna": {"title": "Payment Page | Payment Form for Stripe <= 1.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via 'pricing_plan_select_text_font_family' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "brandonfire", "product": "Payment Page | Payment Form for Stripe", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.4.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T18:30:19.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0982cc3e-87d7-49d2-afa3-8c18355d7968?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/payment-page/trunk/app/PaymentForm.php#L310"}, {"url": "https://plugins.trac.wordpress.org/browser/payment-page/tags/1.4.6/app/PaymentForm.php#L310"}], "descriptions": [{"lang": "en", "value": "The Payment Page | Payment Form for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pricing_plan_select_text_font_family' parameter in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-14T06:42:26.021Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0751", "state": "PUBLISHED", "dateUpdated": "2026-02-18T20:15:18.817Z", "dateReserved": "2026-01-08T19:56:40.354Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T06:42:26.021Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Payment Page | Payment Form for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pricing_plan_select_text_font_family' parameter in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Payment Page | Payment Form para Stripe para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'pricing_plan_select_text_font_family' en todas las versiones hasta e incluyendo la 1.4.6 debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de nivel Autor o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-0751", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T07:16:09.283", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/payment-page/tags/1.4.6/app/PaymentForm.php#L310"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/payment-page/trunk/app/PaymentForm.php#L310"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3464131/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0982cc3e-87d7-49d2-afa3-8c18355d7968?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.6]"}}], "product": "payment_page_|_payment_form_for_stripe", "vendor": "brandonfire"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:40:21.602965+00:00", "value": {"mitigation_remediation": ["Upgrade the Payment Page | Payment Form for Stripe plugin to the latest available version (greater than 1.4.6) to remove the vulnerable code.", "If an immediate upgrade is not feasible, edit or reset the 'pricing_plan_select_text_font_family' field to a neutral value or delete the custom text to prevent script injection.", "Restrict Author and higher role capabilities so that only trusted users can edit payment form fields, applying the principle of least privilege.", "Review all other form inputs for proper sanitization and output escaping to avoid similar client\u2011side injection issues."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Affected systems include all installations of the Payment Page | Payment Form for Stripe plugin authored by brandonfire, with version 1.4.0 through 1.4.6 inclusive. No higher versions are listed, implying that any site running one of these releases is vulnerable. The vulnerability resides in the form handling code located at line 310 of PaymentForm.php, as referenced in the plugin's code repository.", "description_and_impact": "The Payment Page | Payment Form for Stripe plugin for WordPress is vulnerable to stored cross\u2011site scripting due to insufficient sanitization of the 'pricing_plan_select_text_font_family' field. An authenticated attacker with Author or higher privileges can inject arbitrary JavaScript that is persisted in the plugin configuration and executed whenever visitors load the affected payment page. This stored XSS can lead to session hijacking, cookie theft, defacement, or phishing attacks against all users who view the injected page, making it a critical client\u2011side injection flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS score is 6.4, indicating moderate severity, while the EPSS probability is below 1%, suggesting a low likelihood of exploitation at present. The vulnerability is not listed in KEV. Exploitation requires the attacker to possess Author or higher permissions to modify the payment form, after which the injected script is delivered to all visitors of the page. The narrow attack vector\u2014authenticated with elevated role\u2014limits initial access, but once the script is in place it propagates automatically, so the overall risk is moderate but potentially high if an attacker gains the necessary privileges."}}}}, "created": "2026-02-16T12:03:11.048814+00:00", "updated": "2026-04-15T20:45:06.388220+00:00", "vendors": ["brandonfire", "brandonfire$PRODUCT$payment_page_|_payment_form_for_stripe", "wordpress", "wordpress$PRODUCT$wordpress"]}