– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-0751:
The Payment Page | Payment Form for Stripe WordPress plugin contains an authenticated stored cross-site scripting vulnerability in versions up to and including 1.4.6. The vulnerability affects the plugin’s payment form styling functionality and allows attackers with Author-level access or higher to inject malicious scripts that execute when users view compromised payment pages.

Root Cause:
The vulnerability originates in the PaymentForm.php file’s _get_pricing_plan_select_css_variables() method. Specifically, line 309 in the patched version shows the plugin directly outputs the ‘pricing_plan_select_text_font_family’ parameter value without proper escaping. In the vulnerable version, line 306 (before patching) contains ‘$response .= ‘–payment-page-element-form-select-font-family : ‘ . $settings[‘pricing_plan_select_text_font_family’] . ‘;’ . “n”;’ with no sanitization. This parameter value flows from user input through the plugin’s settings storage and into CSS variable declarations that render on public payment pages.

Exploitation:
An attacker with Author privileges or higher can exploit this vulnerability by accessing the plugin’s payment form settings interface. The attacker injects malicious JavaScript payloads into the ‘pricing_plan_select_text_font_family’ parameter field. When the plugin saves these settings, the payload persists in the database. The payload executes whenever any user views a payment page that uses the compromised form settings, as the malicious content renders directly into the page’s CSS variables without output escaping.

Patch Analysis:
The patch adds proper output escaping using esc_attr() function calls for multiple user-controlled parameters. For the ‘pricing_plan_select_text_font_family’ parameter specifically, line 309 in PaymentForm.php changes from direct concatenation to ‘$response .= ‘–payment-page-element-form-select-font-family : ‘ . esc_attr( $settings[‘pricing_plan_select_text_font_family’] ) . ‘;’ . “n”;’. The patch applies similar esc_attr() protection to 14 other font family parameters throughout the same file, including ‘pricing_plan_select_title_font_family’, ‘form_field_label_font_family’, and ‘form_field_input_font_family’.

Impact:
Successful exploitation allows attackers to inject arbitrary JavaScript that executes in the context of any user viewing affected payment pages. This enables session hijacking, credential theft, content manipulation, and redirection to malicious sites. Since the payload stores persistently, it affects all subsequent visitors to compromised payment pages until administrators remove the malicious code. The Author-level access requirement limits immediate widespread impact but provides significant privilege within multi-author WordPress installations.