ThemeMakers Stripe Checkout WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the ThemeMakers Stripe Checkout plugin for WordPress, affecting versions through 1.0.1. The issue arises from inadequate input sanitization and output escaping of user-supplied attributes in the 'stripe' shortcode. This vulnerability allows authenticated attackers with contributor-level or higher permissions to inject arbitrary web scripts into pages, which are executed when users access the affected pages.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with contributor-level or higher permissions can use the 'stripe' shortcode without proper sanitization. This can be done by injecting a script into one of the shortcode's attributes. Once the shortcode is rendered on a page, the injected script will execute when the page is viewed.

Remediation

Users are advised to update the ThemeMakers Stripe Checkout plugin to version 1.0.2 or later.