CVE-2026-42752

Vulnerability

An unauthenticated bypass vulnerability exists in the Stripe Payments plugin for WordPress versions up to and including 2.0.98. This flaw resides in the plugin's input validation or access control logic, allowing an attacker to bypass certain restrictions without requiring authentication. No specific configuration beyond the default installation is necessary for the vulnerable code path to be reachable. The affected versions are all releases of Stripe Payments prior to the fix, with 2.0.98 being the last vulnerable version [1].

Exploitation

An attacker can exploit this vulnerability without any authentication or prior access to the target site. The attacker sends crafted HTTP requests to the WordPress site running the vulnerable plugin, targeting the specific endpoint or parameter that lacks proper validation. The exploit does not require user interaction or any special network position beyond being able to reach the WordPress installation over the internet [1].

Impact

Successful exploitation allows an attacker to bypass intended payment process restrictions. Depending on the exact nature of the bypass, this could result in unauthorized transactions, privilege escalation, or other actions that circumvent the plugin's security controls. The CVSS score of 6.5 (Medium) indicates a moderate to significant impact on confidentiality, integrity, or availability, though the precise CIA outcome is not fully detailed in the available references [1].

Mitigation

The recommended mitigation is to update the Stripe Payments plugin to a version newer than 2.0.98, where the vulnerability has been fixed. The plugin vendor has released a patch; users should apply the update as soon as possible. If immediate updating is not possible, as a temporary workaround, website administrators should consult with their hosting provider or web developer to implement additional security measures, such as Web Application Firewall (WAF) rules or access controls [1].