Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Accept Stripe Payments by mra13

    CVE-2021-47983 (GCVE-0-2021-47983)

    Vulnerability from nvd – Published: 2026-06-08 01:55 – Updated: 2026-06-08 18:23
    VLAI
    Title
    WordPress Plugin Stripe Payments 2.0.39 Stored XSS via currency_code
    Summary
    WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the AcceptStripePayments-settings[currency_code] parameter. Attackers can submit POST requests to /wp-admin/options.php with script payloads in the currency_code field to execute arbitrary JavaScript in administrator browsers when settings are viewed.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Date Public
    2021-01-04 00:00
    Credits
    Park Won Seok
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-47983",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-08T18:22:33.173419Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-08T18:23:49.626Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Accept Stripe Payments",
              "vendor": "mra13",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.0.39"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Park Won Seok"
            }
          ],
          "datePublic": "2021-01-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the AcceptStripePayments-settings[currency_code] parameter. Attackers can submit POST requests to /wp-admin/options.php with script payloads in the currency_code field to execute arbitrary JavaScript in administrator browsers when settings are viewed."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-08T01:55:26.047Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "ExploitDB-49354",
              "tags": [
                "exploit"
              ],
              "url": "https://www.exploit-db.com/exploits/49354"
            },
            {
              "name": "Product Reference",
              "tags": [
                "product"
              ],
              "url": "https://wordpress.org/plugins/stripe-payments/#developers"
            },
            {
              "name": "VulnCheck Advisory: WordPress Plugin Stripe Payments 2.0.39 Stored XSS via currency_code",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/wordpress-plugin-stripe-payments-stored-xss-via-currency-code"
            }
          ],
          "title": "WordPress Plugin Stripe Payments 2.0.39 Stored XSS via currency_code",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2021-47983",
        "datePublished": "2026-06-08T01:55:26.047Z",
        "dateReserved": "2026-06-07T22:47:03.333Z",
        "dateUpdated": "2026-06-08T18:23:49.626Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-7353 (GCVE-0-2024-7353)

    Vulnerability from nvd – Published: 2024-08-07 11:30 – Updated: 2026-04-08 17:32
    VLAI
    Title
    Accept Stripe Payments <= 2.0.86 - Authenticated (Contributor+) Stored Cross-Site Scripting via accept_stripe_payment_ng Shortcode
    Summary
    The Accept Stripe Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's accept_stripe_payment_ng shortcode in all versions up to, and including, 2.0.86 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    mra13 Accept Stripe Payments Affected: 0 , ≤ 2.0.86 (semver)
    Create a notification for this product.
    tipsandtricks-hq accept_stripe Affected: 0 , ≤ 2.0.86 (semver)
        cpe:2.3:a:tipsandtricks-hq:accept_stripe:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    Arkadiusz Hydzik
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:tipsandtricks-hq:accept_stripe:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "accept_stripe",
                "vendor": "tipsandtricks-hq",
                "versions": [
                  {
                    "lessThanOrEqual": "2.0.86",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7353",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-07T14:43:56.923237Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-07T14:47:51.772Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Accept Stripe Payments",
              "vendor": "mra13",
              "versions": [
                {
                  "lessThanOrEqual": "2.0.86",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Arkadiusz Hydzik"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Accept Stripe Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s accept_stripe_payment_ng shortcode in all versions up to, and including, 2.0.86 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:32:46.490Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f321e41a-3945-47db-a215-aeb001b7b80b?source=cve"
            },
            {
              "url": "https://portswigger.net/research/xss-in-hidden-input-fields"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/stripe-payments/trunk/includes/shortcodes/class-asp-shortcode-ng.php#L715"
            },
            {
              "url": "https://wordpress.org/plugins/stripe-payments/#developers"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-08-06T23:21:26.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Accept Stripe Payments \u003c= 2.0.86 - Authenticated (Contributor+) Stored Cross-Site Scripting via accept_stripe_payment_ng Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-7353",
        "datePublished": "2024-08-07T11:30:53.170Z",
        "dateReserved": "2024-07-31T21:27:33.166Z",
        "dateUpdated": "2026-04-08T17:32:46.490Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-47983 (GCVE-0-2021-47983)

    Vulnerability from cvelistv5 – Published: 2026-06-08 01:55 – Updated: 2026-06-08 18:23
    VLAI
    Title
    WordPress Plugin Stripe Payments 2.0.39 Stored XSS via currency_code
    Summary
    WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the AcceptStripePayments-settings[currency_code] parameter. Attackers can submit POST requests to /wp-admin/options.php with script payloads in the currency_code field to execute arbitrary JavaScript in administrator browsers when settings are viewed.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Date Public
    2021-01-04 00:00
    Credits
    Park Won Seok
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-47983",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-08T18:22:33.173419Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-08T18:23:49.626Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Accept Stripe Payments",
              "vendor": "mra13",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.0.39"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Park Won Seok"
            }
          ],
          "datePublic": "2021-01-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the AcceptStripePayments-settings[currency_code] parameter. Attackers can submit POST requests to /wp-admin/options.php with script payloads in the currency_code field to execute arbitrary JavaScript in administrator browsers when settings are viewed."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-08T01:55:26.047Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "ExploitDB-49354",
              "tags": [
                "exploit"
              ],
              "url": "https://www.exploit-db.com/exploits/49354"
            },
            {
              "name": "Product Reference",
              "tags": [
                "product"
              ],
              "url": "https://wordpress.org/plugins/stripe-payments/#developers"
            },
            {
              "name": "VulnCheck Advisory: WordPress Plugin Stripe Payments 2.0.39 Stored XSS via currency_code",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/wordpress-plugin-stripe-payments-stored-xss-via-currency-code"
            }
          ],
          "title": "WordPress Plugin Stripe Payments 2.0.39 Stored XSS via currency_code",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2021-47983",
        "datePublished": "2026-06-08T01:55:26.047Z",
        "dateReserved": "2026-06-07T22:47:03.333Z",
        "dateUpdated": "2026-06-08T18:23:49.626Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-7353 (GCVE-0-2024-7353)

    Vulnerability from cvelistv5 – Published: 2024-08-07 11:30 – Updated: 2026-04-08 17:32
    VLAI
    Title
    Accept Stripe Payments <= 2.0.86 - Authenticated (Contributor+) Stored Cross-Site Scripting via accept_stripe_payment_ng Shortcode
    Summary
    The Accept Stripe Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's accept_stripe_payment_ng shortcode in all versions up to, and including, 2.0.86 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    mra13 Accept Stripe Payments Affected: 0 , ≤ 2.0.86 (semver)
    Create a notification for this product.
    tipsandtricks-hq accept_stripe Affected: 0 , ≤ 2.0.86 (semver)
        cpe:2.3:a:tipsandtricks-hq:accept_stripe:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    Arkadiusz Hydzik
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:tipsandtricks-hq:accept_stripe:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "accept_stripe",
                "vendor": "tipsandtricks-hq",
                "versions": [
                  {
                    "lessThanOrEqual": "2.0.86",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7353",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-07T14:43:56.923237Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-07T14:47:51.772Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Accept Stripe Payments",
              "vendor": "mra13",
              "versions": [
                {
                  "lessThanOrEqual": "2.0.86",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Arkadiusz Hydzik"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Accept Stripe Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s accept_stripe_payment_ng shortcode in all versions up to, and including, 2.0.86 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:32:46.490Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f321e41a-3945-47db-a215-aeb001b7b80b?source=cve"
            },
            {
              "url": "https://portswigger.net/research/xss-in-hidden-input-fields"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/stripe-payments/trunk/includes/shortcodes/class-asp-shortcode-ng.php#L715"
            },
            {
              "url": "https://wordpress.org/plugins/stripe-payments/#developers"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-08-06T23:21:26.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Accept Stripe Payments \u003c= 2.0.86 - Authenticated (Contributor+) Stored Cross-Site Scripting via accept_stripe_payment_ng Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-7353",
        "datePublished": "2024-08-07T11:30:53.170Z",
        "dateReserved": "2024-07-31T21:27:33.166Z",
        "dateUpdated": "2026-04-08T17:32:46.490Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }