What is CVE-2021-47948?

CVE-2021-47948 is a medium-severity vulnerability in Invoicing Payments Plugin Getpaid, classified under Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS). CVSS score: 5.4/10. Published 2026-05-10.

How severe is CVE-2021-47948?

Medium severity. CVSS v3 base score is 5.4 out of 10.

XSS in Invoicing Payments Plugin Getpaid

CVE-2021-47948

WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including ima…

EPSS: 0.000 (8.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.

Affected products

Invoicing Payments Plugin Getpaid — versions 2.4.6

Weakness classification (CWE)

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

References

ExploitDB-50246 (exploit)
Product Reference (product)
VulnCheck Advisory: WordPress GetPaid Plugin 2.4.6 HTML Injection via Help Text (third-party-advisory)

Frequently asked questions

What is CVE-2021-47948?: CVE-2021-47948 is a medium-severity vulnerability in Invoicing Payments Plugin Getpaid, classified under Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS). CVSS score: 5.4/10. Published 2026-05-10.
How severe is CVE-2021-47948?: Medium severity. CVSS v3 base score is 5.4 out of 10.