Medium severity5.4NVD Advisory· Published May 10, 2026· Updated May 12, 2026

CVE-2021-47948

Description

WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during payment form creation, which gets stored in the database and executed in the browser when the form is viewed.

Affected products

WordPress/Invoicingreferences
Package: https://wordpress.org/plugins/invoicing

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wordpress.org/plugins/invoicing/nvd
www.exploit-db.com/exploits/50246nvd
www.vulncheck.com/advisories/wordpress-getpaid-plugin-html-injection-via-help-textnvd

News mentions

One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk
The Hacker News · May 8, 2026

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000