WordPress GetPaid Plugin 2.4.6 HTML Injection via Help Text

Advisories

WordPress GetPaid Plugin 2.4.6 HTML Injection via Help Text

severity: medium
date: 5/10/2026
Affecting: Payments Plugin GetPaid <= 2.4.6
CVE: CVE-2021-47948
CWE: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
References: ExploitDB-50246
Product Reference
Credit: Niraj Mahajan
Description: WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during payment form creation, which gets stored in the database and executed in the browser when the form is viewed.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo