CVE-2025-49302 CRITICAL

CVE-2025-49302: WordPress Easy Stripe plugin <= 1.1 - Remote Code Execution (RCE) Vulnerability

Vendor Scott Paterson
Product Easy Stripe
Weakness CWE-94 · Code injection
Published July 4, 2025
Last update May 12, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson Easy Stripe easy-stripe allows Remote Code Inclusion.This issue affects Easy Stripe: from n/a through <= 1.1.

Explanation of Vulnerability in Simple Terms

02Summary

Easy Stripe versions 1.1 and earlier contain a code injection vulnerability that allows unauthenticated attackers to run arbitrary code on affected sites over the network. No user interaction is required. The vulnerability affects confidentiality, integrity, and availability of the entire system. Update to a version newer than 1.1 immediately.

What an attacker can do

03Attacker Capabilities

Run arbitrary code on the site without authentication.

Potential impact on your site

04Site Impact

Complete compromise of site data, functionality, and server resources.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

July 4, 2025 CVE published
May 12, 2026 Record updated