Description
WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during payment form creation, which gets stored in the database and executed in the browser when the form is viewed.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows authenticated users who can edit payment forms to insert arbitrary HTML into the Help Text field of the GetPaid plugin. The stored malicious HTML is rendered in the browser when the form is viewed, enabling cross‑site scripting that could deface pages, steal session cookies, or load malicious scripts. The weakness corresponds to improper input validation that permits HTML content.

Affected Systems

The GetPaid plugin for WordPress, specifically version 2.4.6, is affected. The plugin is used in WordPress installations that provide invoicing and payment forms. No other versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated with the capability to edit payment forms; therefore the attack surface is limited to users who have appropriate administrative permissions. Despite the authentication requirement, the impact on end‑user browsers is significant because injected HTML is executed automatically when the form is displayed. Given the combination of moderate CVSS, lack of exploit data, and restricted attack vector, the immediate risk is moderate but mitigated by applying the official patch.

Generated by OpenCVE AI on May 10, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official GetPaid plugin update to a version newer than 2.4.6 that removes the HTML injection flaw.
  • If an update is unavailable, delete or sanitize all existing Help Text entries before allowing them to load in the browser.
  • Restrict the ability to edit Help Text to trusted administrators only, or configure the plugin to strip HTML tags from the field.

Generated by OpenCVE AI on May 10, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during payment form creation, which gets stored in the database and executed in the browser when the form is viewed.
Title WordPress GetPaid Plugin 2.4.6 HTML Injection via Help Text
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:44:05.133Z

Reserved: 2026-02-01T11:24:18.719Z

Link: CVE-2021-47948

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:31.323

Modified: 2026-05-10T13:16:31.323

Link: CVE-2021-47948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:00:11Z

Weaknesses