CVE-2022-50797 – The Stripe Green Downloads WordPress plugin ver... (How to Fix)

Q: What is the severity of CVE-2022-50797?

CVE-2022-50797 has a CVSS score of 6.4 (MEDIUM). The Stripe Green Downloads WordPress plugin version 2.03 contains a persistent cross-site scripting (XSS) vulnerability in button label fields. Attackers can inject malicious scripts that execute when administrators view plugin settings, potentially leading to session hijacking and unauthorized actions. WordPress sites using this vulnerable plugin version are affected.

📋 TL;DR

The Stripe Green Downloads WordPress plugin version 2.03 contains a persistent cross-site scripting (XSS) vulnerability in button label fields. Attackers can inject malicious scripts that execute when administrators view plugin settings, potentially leading to session hijacking and unauthorized actions. WordPress sites using this vulnerable plugin version are affected.

💻 Affected Systems

Products:

Stripe Green Downloads WordPress Plugin

Versions: 2.03

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress administrator access to exploit via plugin settings page.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could hijack administrator sessions, install backdoors, manipulate plugin settings to distribute malware, or take full control of the WordPress site.

🟠

Likely Case

Attackers inject malicious scripts that steal administrator session cookies or credentials when admins view plugin settings, leading to unauthorized access.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator access to modify plugin settings. Public proof-of-concept demonstrates injection via button label fields.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.04 or later

Vendor Advisory: https://wordpress.org/plugins/stripe-green-downloads/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Stripe Green Downloads' and click 'Update Now'. 4. Verify version is 2.04 or higher.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate stripe-green-downloads

Restrict Admin Access

all

Limit administrator access to trusted IP addresses only.

🧯 If You Can't Patch

Remove the Stripe Green Downloads plugin entirely from the WordPress installation.
Implement web application firewall (WAF) rules to block XSS payloads targeting the plugin's settings endpoints.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for 'Stripe Green Downloads' version 2.03.

Check Version:

wp plugin get stripe-green-downloads --field=version

Verify Fix Applied:

Verify plugin version is 2.04 or higher in WordPress admin panel > Plugins > Installed Plugins.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin.php?page=stripe-green-downloads with script tags in parameters
Administrator account logins from unexpected locations following plugin settings changes

Network Indicators:

HTTP requests containing malicious script payloads to plugin settings endpoints
Unexpected outbound connections from WordPress server following admin panel access

SIEM Query:

source="wordpress.log" AND ("stripe-green-downloads" AND ("<script" OR "javascript:" OR "onerror="))

📊 Metadata

CVE ID: CVE-2022-50797

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: February 1, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50797, you might also want to check these: