Vulnerabilities and security researches forinvoicing invoicing

Jun 06, 2024

CVE, Research URL: CVE-2021-24369
Home page URL: Security reports for Payment forms, Buy now buttons and Invoicing System | GetPaid
Application: Payment forms, Buy now buttons and Invoicing System | GetPaid
Date: Jun 22, 2021
Research Description: In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is triggered when the form will be edited, for example when an admin reviews it and could lead to privilege escalation.
Affected versions: max 2.3.4.
Status: vulnerable

Sep 01, 2024

CVE, Research URL: CVE-2024-43973
Home page URL: Security reports for Payment forms, Buy now buttons and Invoicing System | GetPaid
Application: Payment forms, Buy now buttons and Invoicing System | GetPaid
Date: Nov 01, 2024
Research Description: Missing Authorization vulnerability in AyeCode Ltd GetPaid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GetPaid: from n/a through 2.8.11.
Affected versions: max 2.8.12.
Status: vulnerable

May 12, 2026

CVE, Research URL: CVE-2021-47948
Home page URL: Security reports for Payment forms, Buy now buttons and Invoicing System | GetPaid
Application: Payment forms, Buy now buttons and Invoicing System | GetPaid
Date: May 10, 2026
Research Description: WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during payment form creation, which gets stored in the database and executed in the browser when the form is viewed.
Affected versions: max 2.4.6.
Status: vulnerable