CVE-2025-1690
📋 TL;DR
The ThemeMakers Stripe Checkout plugin for WordPress versions up to 1.0.1 contains a stored cross-site scripting vulnerability in the 'stripe' shortcode. Authenticated attackers with contributor-level or higher permissions can inject malicious scripts that execute when users view affected pages. This affects WordPress sites using the vulnerable plugin version.
💻 Affected Systems
- ThemeMakers Stripe Checkout WordPress Plugin
📦 What is this software?
Stripe Checkout by Thememakers
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users.
Likely Case
Malicious contributors or compromised accounts inject tracking scripts, ads, or credential harvesting forms into public pages.
If Mitigated
With proper user access controls and content security policies, impact is limited to script execution in the context of the vulnerable page.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once attacker has contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.2
Vendor Advisory: https://github.com/ThemeMakers/tmm_stripe_checkout/compare/v1.0.1...v1.0.2
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Stripe Checkout' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.0.2 from the repository and manually replace the plugin files.
🔧 Temporary Workarounds
Remove vulnerable shortcode usage
allTemporarily remove or disable the 'stripe' shortcode from all posts and pages
UPDATE wp_posts SET post_content = REPLACE(post_content, '[stripe', '[disabled_stripe') WHERE post_content LIKE '%[stripe%';
Restrict user roles
allTemporarily remove contributor-level editing permissions from untrusted users
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Disable the Stripe Checkout plugin completely until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Stripe Checkout' version. If version is 1.0.1 or lower, you are vulnerable.Check Version:
wp plugin list --name='stripe-checkout' --field=versionVerify Fix Applied:
After updating, verify the plugin shows version 1.0.2 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual post/page edits by contributor-level users
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- External script loads from unexpected domains in page responses
- Suspicious JavaScript in page source containing 'stripe' shortcode attributes
SIEM Query:
source="wordpress.log" AND (event="post_updated" OR event="page_updated") AND user_role="contributor" AND content LIKE "%[stripe%"