Accept Stripe Payments < 2.0.64 - Admin+ Stored Cross-Site Scripting

Vulnerability

The Accept Stripe Payments WordPress plugin before version 2.0.64 [1] fails to sanitize and escape some of its settings. This allows high-privilege users, such as administrators, to inject arbitrary web scripts. The vulnerability is a stored cross-site scripting (XSS) issue that can be triggered even when the unfiltered_html capability is disallowed [1].

Exploitation

An attacker with administrator-level access can exploit this vulnerability by injecting malicious script code into the plugin settings. The injected script will be stored and executed when any user (including other admins) views the affected settings page. The attacker does not need special permissions beyond administrative access to the WordPress dashboard [1].

Impact

Successful exploitation results in persistent execution of arbitrary JavaScript in the context of the admin interface. This can lead to session hijacking, defacement, or further compromise of the WordPress site. The attacker's script runs with the privileges of the victim's browser session, potentially allowing actions such as creating new admin accounts or modifying site content [1].

Mitigation

The vulnerability is fixed in version 2.0.64 of the Accept Stripe Payments plugin [1]. Users should update to this version immediately. No workarounds are provided in the advisory. There is no indication that this CVE is listed in the Known Exploited Vulnerabilities (KEV) catalog [1].