Impact
The vulnerability permits the insertion of sensitive information into data that is subsequently transmitted by the GetPaid plugin. An attacker who can trigger these transmissions may obtain confidential data that the plugin otherwise protects, leading to a breach of confidentiality for users who rely on the plugin for invoicing and payment processing.
Affected Systems
The GetPaid plugin for WordPress, developed by Stiofan, is affected for all releases up to and including version 2.8.49. Users running any of these versions are at risk.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity level, while the EPSS score is <1%, indicating a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves exploiting exposed plugin functionalities that send data to external parties, such as invoices or payment notifications. An attacker would need to trigger these plugin actions to capture the unintended sensitive information.
OpenCVE Enrichment