CVE-2026-8893
Description
The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the [stripe-express] shortcode in versions up to, and including, 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value, which is concatenated into an HTML attribute in the rendered output of the register_shortcode() function without being passed through esc_attr() or any other escaping function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected products
2- Range: <=1.28.0
- Range: <=1.28.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient output escaping on the 'type' attribute of the [stripe-express] shortcode allows for script injection."
Attack vector
An authenticated attacker with contributor-level access or higher can inject arbitrary web scripts into pages containing the [stripe-express] shortcode. This is achieved by manipulating the 'type' attribute, which is directly concatenated into an HTML attribute without proper sanitization or escaping. When a user visits a page with the injected script, the script will execute in their browser.
Affected code
The vulnerability resides within the `register_shortcode()` function in the `wp-stripe-shortcodes.php` file. Specifically, the 'type' attribute, when provided via the [stripe-express] shortcode, is directly used in the output without adequate escaping, as shown in the code snippets from [ref_id=1] and [ref_id=2].
What the fix does
The patch, as indicated by the code snippet in [ref_id=1] and [ref_id=2], addresses the vulnerability by ensuring that the 'type' attribute is properly escaped before being rendered in the HTML output. Although a specific patch file is not provided, the code shows that the 'type' variable, derived from shortcode attributes, is now handled in a way that prevents it from being directly interpreted as executable script. This prevents the injection of malicious code.
Preconditions
- authAttacker must have at least contributor-level access.
- inputThe 'type' attribute of the [stripe-express] shortcode must be controllable by the attacker.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- plugins.trac.wordpress.org/browser/wp-stripe-express/tags/1.28.0/includes/wp-stripe-shortcodes.phpnvd
- plugins.trac.wordpress.org/browser/wp-stripe-express/tags/1.28.0/includes/wp-stripe-shortcodes.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/1a7dbb82-b484-4b86-b8dc-7a1e7291dec2nvd
News mentions
0No linked articles in our index yet.