WordPress GetPaid Plugin HTML Injection Flaw CVE-2021-47948

Executive Summary

A stored HTML injection vulnerability in the WordPress GetPaid plugin (versions up to 2.4.6) allows authenticated attackers to inject arbitrary HTML code via the Help Text field in payment forms, according to a National Vulnerability Database (NVD) entry published on 2026-05-10. Assigned CVE-2021-47948 with a CVSS v3.1 base score of 5.4 (medium severity), the flaw enables attackers with contributor-level or higher access to inject malicious HTML — including image tags and JavaScript — that executes when administrators or customers view the compromised payment form. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating a stored cross-site scripting (XSS) vector.

Technical Analysis

The GetPaid plugin (previously known as WP Invoicing) is a widely used WordPress extension for creating invoices, payment forms, and subscription management. According to the NVD entry, the vulnerability resides in the Help Text field within the payment form builder interface. The plugin fails to sanitize user-supplied input before storing it in the database and rendering it in the browser.

An authenticated attacker with at least Contributor-level permissions can craft a payment form and insert arbitrary HTML into the Help Text field. This input is stored server-side and served to any user who views the form — including site administrators and customers. The injected HTML can include <img> tags with onerror event handlers or <script> tags, enabling stored XSS attacks.

The CVSS vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) reveals the attack surface: network-based exploitation with low complexity, requiring low-privilege authentication and user interaction (a victim must view the form). The scope change (S:C) indicates the injected code can affect resources beyond the vulnerable component, such as stealing session cookies or performing actions in the context of the victim.

The NVD entry does not specify whether the plugin has released a patched version. As of this writing, the WordPress plugin repository shows version 2.4.6 as the latest stable release, but the vulnerability was assigned in 2021, suggesting a fix may have been silently backported in a subsequent update. Defenders should verify their installed version against the plugin changelog.

Mitigations & Recommendations

WordPress site administrators should immediately review the installed version of the GetPaid plugin. If running version 2.4.6 or earlier, update to the latest available version from the WordPress plugin repository. If no patched version exists, restrict Contributor-level and Author-level roles from creating or editing payment forms using a role management plugin such as User Role Editor.

As a compensating control, enable a Web Application Firewall (WAF) with rules to block common XSS payloads in POST requests to payment form endpoints. Additionally, audit existing payment forms for suspicious HTML in Help Text fields — look for unexpected <script>, <img onerror>, or <iframe> tags. Review server access logs for unusual form submissions from low-privilege user accounts.