CVE-2021-47948: WordPress GetPaid Plugin XSS Vulnerability

CVE-2021-47948 Overview

CVE-2021-47948 is an HTML injection vulnerability in the WordPress GetPaid (Invoicing) plugin version 2.4.6. The flaw resides in the Help Text field of the payment form creation interface. Authenticated attackers can inject arbitrary HTML, including <img> tags and inline scripts, when crafting payment forms. The injected markup is stored in the database and rendered in the browser of any user who later views the affected form. The issue is classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page).

Critical Impact

Stored HTML injection in payment forms enables attackers to alter form content, deliver phishing payloads, or load remote resources within the context of the WordPress site.

Affected Products

• WordPress GetPaid Plugin (also distributed as the Invoicing plugin) version 2.4.6
• WordPress installations that expose payment form creation to lower-privileged authenticated users
• Sites that render stored Help Text content to end users without sanitization

Discovery Timeline

• 2026-05-10 - CVE-2021-47948 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2021-47948

Vulnerability Analysis

The GetPaid plugin renders the Help Text field of a payment form without neutralizing HTML control characters. An authenticated user with permission to create or edit payment forms can supply markup such as <img src=x onerror=...> in the Help Text input. The plugin persists this value to the WordPress database and later writes it directly into the rendered form page. Browsers parse the stored payload as live HTML rather than escaped text, producing a stored injection condition in the payment workflow.

Root Cause

The root cause is missing output encoding on the Help Text attribute associated with payment form fields. The plugin treats the field as trusted rich content instead of plain text. WordPress functions such as esc_html() or wp_kses() are not applied to the stored value before it is echoed into the form template, which violates the contextual escaping model expected for user-supplied data.

Attack Vector

Exploitation requires an authenticated session with rights to create or modify payment forms in the GetPaid plugin. The attacker inserts HTML into the Help Text field during form creation. Any subsequent visitor who loads the payment form receives the injected markup. The injected content can deface the form, present fake input fields to harvest credentials or payment data, or trigger requests to attacker-controlled hosts. Public exploitation details are documented in Exploit-DB #50246 and the VulnCheck advisory.

No verified exploit code is reproduced here. Refer to the published advisory for the proof-of-concept payload and step-by-step reproduction.

Detection Methods for CVE-2021-47948

Indicators of Compromise

• Payment form records in the WordPress database containing HTML tags such as <img, <script, <iframe, or inline event handlers (onerror=, onload=) within Help Text fields.
• Outbound HTTP requests from visitor browsers to unexpected domains when a GetPaid payment form is loaded.
• Form audit log entries showing Help Text edits performed by non-administrator accounts.

Detection Strategies

• Query the wp_posts and plugin-specific meta tables for GetPaid form definitions and flag entries whose Help Text values contain angle brackets or event-handler attributes.
• Inspect rendered payment form HTML in staging environments and compare DOM nodes against the expected template to surface injected elements.
• Review web access logs for repeated POST requests to GetPaid form creation or update endpoints from low-privilege accounts.

Monitoring Recommendations

• Enable a web application firewall rule that inspects Help Text parameters submitted to GetPaid endpoints for HTML tags.
• Alert on WordPress audit events where users below the administrator role modify payment forms.
• Monitor Content Security Policy violation reports for inline script or unexpected image sources on pages that host payment forms.

How to Mitigate CVE-2021-47948

Immediate Actions Required

• Upgrade the GetPaid (Invoicing) plugin to a release later than 2.4.6 that sanitizes Help Text input.
• Restrict payment form creation and editing privileges to trusted administrator accounts only.
• Review existing payment forms and remove any Help Text values containing HTML markup.

Patch Information

The vendor distributes updates through the official WordPress Invoicing Plugin page. Install the latest plugin version from the WordPress plugin directory and verify the Help Text field is rendered as escaped text after the update. Confirm the patched version through the VulnCheck advisory.

Workarounds

• Remove payment form management capabilities from non-administrator roles using a WordPress role editor until the plugin is updated.
• Deploy a Content Security Policy that blocks inline scripts and unapproved image sources on pages containing payment forms.
• Add a WAF signature that rejects requests to GetPaid form endpoints whose Help Text parameter contains < or > characters.

# Example WAF rule (ModSecurity) blocking HTML in Help Text submissions
SecRule ARGS_NAMES "@rx help_text" \
  "chain,phase:2,deny,status:403,id:1004794801,msg:'Possible HTML injection in GetPaid Help Text (CVE-2021-47948)'"
  SecRule ARGS "@rx <[A-Za-z/!]" "t:none,t:urlDecodeUni"