CVE-2025-7653

The EPay.bg Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 0.1. The vulnerability exists in the 'epay' shortcode, which outputs user-supplied attributes directly into HTML without proper sanitization or escaping [1]. The plugin code shows attributes such as submiturl, secret, min, invoice, sum, exp_date, descr, success_url, fail_url, and button_label are concatenated into an HTML form without any filtering [1].

Exploitation requires an authenticated attacker with at least contributor-level access to WordPress. The attacker can create or edit a post or page containing the 'epay' shortcode and inject malicious JavaScript into any of the shortcode attributes. When the page is visited by any user, the injected script executes in the context of the victim's browser, leading to potential cookie theft, session hijacking, or defacement [1].

The impact is significant as it allows attackers to execute arbitrary web scripts in the context of vulnerable sites, potentially compromising user accounts or altering site content. The plugin has not been updated to address this issue, and users are advised to remove or disable the shortcode until a patched version is released. No workarounds are provided by the vendor.