CVE-2021-47948

MEDIUM

WordPress GetPaid Plugin 2.4.6 HTML Injection via Help Text

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47948. PoCs published by Niraj Mahajan.

AI-analyzed exploit summary This exploit demonstrates an HTML injection vulnerability in the WordPress Payments Plugin | GetPaid version 2.4.6. The attacker can inject arbitrary HTML code into the 'Help Text' field of a payment form, which is then stored and executed in the database, leading to potential XSS or content manipulation.

Description

WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during payment form creation, which gets stored in the database and executed in the browser when the form is viewed.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Niraj Mahajan · textwebappsphp

https://www.exploit-db.com/exploits/50246

View Code ZIP pw:eip

This exploit demonstrates an HTML injection vulnerability in the WordPress Payments Plugin | GetPaid version 2.4.6. The attacker can inject arbitrary HTML code into the 'Help Text' field of a payment form, which is then stored and executed in the database, leading to potential XSS or content manipulation.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Payments Plugin | GetPaid 2.4.6

Auth required

Prerequisites: WordPress 5.8 installed · WordPress Payments Plugin | GetPaid 2.4.6 installed and activated · Admin access to create payment forms

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 10, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-50246

https://www.exploit-db.com/exploits/50246

Product product

Product Reference

https://wordpress.org/plugins/invoicing/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress GetPaid Plugin 2.4.6 HTML Injection via Help Text

https://www.vulncheck.com/advisories/wordpress-getpaid-plugin-html-injection-via-help-text

Scores

CVSS v3 5.4

EPSS 0.0017

EPSS Percentile 6.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-80

Status published

Products (1)

invoicing/Payments Plugin GetPaid 2.4.6

Published May 10, 2026

Tracked Since May 10, 2026