CVE-2025-49302: RCE in Easy Stripe Payment Gateway
Platform
wordpress
Component
easy-stripe
Fixed in
1.1.1
CVE-2025-49302 describes a Remote Code Execution (RCE) vulnerability within the Easy Stripe payment gateway. This flaw, stemming from improper code generation control (code injection), allows attackers to include arbitrary code, potentially granting them complete control over affected systems. The vulnerability impacts Easy Stripe versions 0.0 up to and including 1.1, with a fix available in version 1.1.1.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The impact of this RCE vulnerability is severe. An attacker exploiting CVE-2025-49302 can execute arbitrary code on the server hosting the Easy Stripe payment gateway. This could lead to complete system compromise, including data exfiltration (sensitive customer payment information, database credentials), modification of system files, and installation of malware. The attacker could also leverage this access to move laterally within the network, compromising other systems and escalating privileges. Given the nature of a payment gateway, the potential for financial fraud and reputational damage is significant.
Exploitation Context
The vulnerability's public disclosure date is 2025-07-04. Exploitation probability is currently assessed as medium, given the RCE nature and the potential for easy exploitation once a suitable payload is crafted. No public Proof-of-Concept (POC) exploits have been observed at the time of writing, but the ease of code inclusion suggests that POCs are likely to emerge. This vulnerability is not currently listed on KEV or EPSS, but its critical severity warrants close monitoring.
Threat Intelligence
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-49302 is to immediately upgrade Easy Stripe to version 1.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing a temporary workaround by restricting file access permissions on the server hosting Easy Stripe. Specifically, ensure that the include_path configuration is carefully reviewed and that only trusted directories are included. Implement a Web Application Firewall (WAF) with rules to detect and block attempts to include arbitrary files. After upgrading, verify the fix by attempting to trigger the code inclusion vulnerability and confirming that it is no longer exploitable.
How to fix
Actualiza el plugin Easy Stripe a la versión 1.1.1 o superior para mitigar la vulnerabilidad de ejecución remota de código. Asegúrate de realizar una copia de seguridad de tu sitio web antes de actualizar cualquier plugin.
Frequently asked questions
What is CVE-2025-49302 — RCE in Easy Stripe Payment Gateway?
CVE-2025-49302 is a critical Remote Code Execution (RCE) vulnerability in Easy Stripe, allowing attackers to execute arbitrary code. It affects versions 0.0 through 1.1 and can lead to full system compromise and data theft.
Am I affected by CVE-2025-49302 in Easy Stripe Payment Gateway?
If you are using Easy Stripe version 0.0 through 1.1, you are affected by this vulnerability. Immediately check your version and upgrade to 1.1.1 or later.
How do I fix CVE-2025-49302 in Easy Stripe Payment Gateway?
The recommended fix is to upgrade Easy Stripe to version 1.1.1 or later. As a temporary workaround, restrict file access permissions and implement WAF rules to prevent code inclusion.
Is CVE-2025-49302 being actively exploited?
While no public exploits have been observed, the vulnerability's severity and ease of exploitation suggest that active exploitation is possible. Continuous monitoring is recommended.
Where can I find the official Easy Stripe advisory for CVE-2025-49302?
Refer to the official Easy Stripe website and security advisories for the latest information and updates regarding CVE-2025-49302. Check their documentation and release notes.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...