Simple Stripe WordPress Plugin CVE-2025-48085
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in ZIPANG Simple Stripe simple-stripe allows Stored XSS.This issue affects Simple Stripe: from n/a through <= 0.9.17.
AnalysisAI
Cross-Site Request Forgery in Simple Stripe WordPress plugin versions through 0.9.17 enables attackers to execute stored cross-site scripting attacks. Remote unauthenticated attackers can trick authenticated administrators into submitting malicious requests that inject persistent JavaScript code into the site. EPSS exploitation probability is extremely low at 0.02% (4th percentile), indicating minimal real-world targeting to date. No active exploitation confirmed by CISA KEV, though the CSRF-to-XSS chain represents a realistic threat to WordPress sites using this payment plugin.
Technical ContextAI
This vulnerability affects the Simple Stripe WordPress plugin by ZIPANG, a payment integration tool for Stripe payment processing. The flaw is classified as CWE-352 (Cross-Site Request Forgery), where inadequate anti-CSRF token validation allows attackers to forge requests on behalf of authenticated users. The CSRF serves as an initial access vector that chains into stored XSS, meaning the malicious payload persists in the WordPress database and executes for all users viewing the affected page. The CVSS scope change (S:C) indicates the XSS can execute in a different security context than the vulnerable plugin itself, potentially compromising the entire WordPress installation. WordPress plugins commonly introduce CSRF vulnerabilities when custom admin forms lack proper nonce validation using WordPress's wp_nonce_field() and check_admin_referer() functions.
Affected ProductsAI
ZIPANG Simple Stripe plugin for WordPress, all versions from initial release through version 0.9.17 inclusive. CPE identifier not provided in available data. Patchstack vulnerability database confirms version range as <= 0.9.17. Vendor advisory and affected version details available at Patchstack reference: https://patchstack.com/database/Wordpress/Plugin/simple-stripe/vulnerability/wordpress-simple-stripe-plugin-0-9-17-cross-site-request-forgery-csrf-to-stored-xss-vulnerability
RemediationAI
Upgrade Simple Stripe plugin to version 0.9.18 or later if available, as the vulnerability affects all versions through 0.9.17. Check for updates through WordPress Admin Dashboard > Plugins or directly from the WordPress.org plugin repository. Patchstack disclosure at https://patchstack.com/database/Wordpress/Plugin/simple-stripe/vulnerability/wordpress-simple-stripe-plugin-0-9-17-cross-site-request-forgery-csrf-to-stored-xss-vulnerability should provide patch confirmation and fixed version details. If immediate patching is not feasible, implement compensating controls: (1) Restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules, reducing CSRF exposure but limiting legitimate remote admin access; (2) Deploy a Web Application Firewall (WAF) with CSRF protection rules, though this adds infrastructure complexity and may require tuning to avoid false positives; (3) Educate administrators to avoid clicking unknown links while logged into WordPress admin, though this relies on user behavior and is not technically enforceable; (4) Temporarily deactivate Simple Stripe plugin if payment processing can be paused, which eliminates the attack surface but disrupts business functionality. None of these workarounds provide complete protection - upgrading remains the definitive fix.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today