PatchSiren cyber security CVE debrief

CVE-2026-8893 payaddons CVE debrief

The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the [stripe-express] shortcode in versions up to, and including, 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value, which is concatenated into an HTML attribute in the rendered output of the register_shortcode() function without being passed through esc_attr() or any other escaping function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendor: payaddons
Product: Express Payment For Stripe
CVSS: MEDIUM 6.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-06
Original CVE updated: 2026-06-08
Advisory published: 2026-06-06
Advisory updated: 2026-06-08

Who should care

Users of the Express Payment For Stripe plugin for WordPress, particularly those with contributor-level access and above, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability exists in the Express Payment For Stripe plugin for WordPress, specifically in the handling of the 'type' attribute of the [stripe-express] shortcode. The plugin fails to properly sanitize and escape user input, allowing authenticated attackers to inject malicious scripts.

Defensive priority

MEDIUM

Recommended defensive actions

Update the Express Payment For Stripe plugin to a version that fixes this vulnerability.
Limit contributor-level access and above to trusted users only.
Regularly monitor pages for injected scripts.

Evidence notes

The CVE record (resourceLinkAnnotations: cve-org) and NVD detail (resourceLinkAnnotations: nvd) provide additional information on this vulnerability.

Official resources

CVE-2026-8893 was published on 2026-06-06T00:16:41.887Z and modified on 2026-06-08T14:57:14.757Z.