CVE-2021-47948: WordPress GetPaid Plugin 2.4.6 HTML Injection via Help Text
WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during payment form creation, which gets stored in the database and executed in the browser when the form is viewed.
Security readout for executives and security teams
Plain-English summary
CVE-2021-47948 affects WordPress GetPaid Plugin version 2.4.6. An authenticated user who can create payment forms can store unsafe HTML in the Help Text field. When someone views the form, that HTML may run in their browser, creating phishing, content tampering, or limited session-risk scenarios.
Executive priority
Treat as a near-term WordPress application hygiene issue, not an emergency. Prioritize sites processing payments or allowing multiple authenticated users. The main business concern is customer trust damage from injected content on payment forms.
Technical view
The issue is a stored HTML injection flaw, mapped to CWE-80, in the payment form Help Text field. The CVSS 3.1 score is 5.4 with low attack complexity, low privileges required, user interaction required, changed scope, and low confidentiality and integrity impact. Sources identify version 2.4.6 as affected.
Likely exposure
Exposure is likely limited to WordPress sites running GetPaid Plugin 2.4.6 where authenticated users can create or edit payment forms. Public-facing payment forms increase business impact because customers or staff may view injected content.
Exploitation context
The bundle includes an ExploitDB reference, so public exploit information exists. CISA KEV status is false, and the provided sources do not show confirmed active exploitation. Exploitation requires an authenticated attacker and a victim viewing the affected form.
Researcher notes
Evidence supports affected version 2.4.6, authenticated stored HTML injection, CVSS 5.4, CWE-80, and public exploit reference. The provided bundle does not name a patched version, official mitigation, or active exploitation. Avoid expanding scope beyond GetPaid Plugin 2.4.6.
Mitigation direction
Inventory WordPress sites for GetPaid Plugin version 2.4.6.
Check vendor and advisory guidance for a fixed release or official workaround.
Restrict payment form creation to trusted administrative users.
Review and remove unsafe HTML from payment form Help Text fields.
Disable the plugin or affected forms if exposure cannot be controlled.
Validation and detection
Confirm whether GetPaid Plugin 2.4.6 is installed on any WordPress site.
Review payment form Help Text fields for unexpected HTML, image tags, or scripts.
Check user activity around payment form creation and edits.
Verify only trusted roles can create or modify payment forms.
Confirm remediation against vendor guidance before closing the finding.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-80: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-80 · source CWE mapping
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.