Plattform
wordpress
Komponente
simple-stripe
Behoben in
0.9.18
CVE-2025-48085 describes a Cross-Site Request Forgery (CSRF) vulnerability leading to Stored XSS within the ZIPANG Simple Stripe WordPress plugin. This allows attackers to inject malicious scripts that execute in the context of other users' browsers, potentially leading to account takeover or data theft. The vulnerability impacts versions 0.0.0 through 0.9.17 of the plugin, and a fix is available in version 0.9.18.
An attacker can leverage this Stored XSS vulnerability to inject arbitrary JavaScript code into the Simple Stripe plugin. This code can then be triggered when other users interact with the affected WordPress site, potentially leading to a wide range of malicious actions. Attackers could steal user session cookies, redirect users to phishing sites, deface the website, or even gain administrative access if the user has sufficient privileges. The impact is particularly severe because Stored XSS vulnerabilities persist until the affected data is removed, meaning that a single successful injection can affect numerous users.
CVE-2025-48085 was publicly disclosed on 2025-11-06. No public proof-of-concept exploits are currently known. The vulnerability's severity is rated HIGH (CVSS 7.1), indicating a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Websites using the ZIPANG Simple Stripe plugin, particularly those handling sensitive user data or financial transactions, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "<script" /var/www/html/wp-content/plugins/simple-stripe/*• wordpress / composer / npm:
wp plugin list --status=inactive | grep simple-stripe• wordpress / composer / npm:
wp plugin update --all• generic web: Check WordPress plugin directory for updates and security advisories related to Simple Stripe.
disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-48085 is to immediately upgrade ZIPANG Simple Stripe to version 0.9.18 or later. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which scripts can be executed. Additionally, carefully review any user-generated content that is displayed on the website to identify and remove any potentially malicious scripts. Monitor WordPress logs for suspicious activity, particularly unusual JavaScript execution patterns. After upgrading, confirm the fix by attempting to inject a simple XSS payload through the plugin's input fields and verifying that it is properly sanitized.
Aktualisieren Sie das Simple Stripe Plugin auf die neueste verfügbare Version, um die CSRF-Schwachstelle zu beheben, die zur Ausführung von XSS-Code führen könnte. Besuchen Sie die Plugin-Seite auf WordPress.org für die neueste Version und die Update-Anweisungen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-48085 is a Stored Cross-Site Scripting (XSS) vulnerability in the ZIPANG Simple Stripe WordPress plugin, allowing attackers to inject malicious scripts.
You are affected if you are using ZIPANG Simple Stripe versions 0.0.0 through 0.9.17. Upgrade to 0.9.18 or later to mitigate the risk.
Upgrade the ZIPANG Simple Stripe plugin to version 0.9.18 or later. Consider a WAF rule as a temporary workaround if immediate upgrade is not possible.
No active exploitation has been confirmed as of 2025-11-06, but the vulnerability's nature suggests a moderate probability of exploitation.
Check the ZIPANG Simple Stripe plugin page on WordPress.org or the developer's website for the official advisory.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.