PatchSiren cyber security CVE debrief
CVE-2026-49064 Stiofan CVE debrief
CVE-2026-49064 is a HIGH severity vulnerability in the GetPaid plugin for WordPress, with a CVSS score of 7.5. The vulnerability is caused by an Insertion of Sensitive Information Into Sent Data issue, which allows attackers to retrieve embedded sensitive data. This issue affects GetPaid versions from n/a through 2.8.49.
- Vendor
- Stiofan
- Product
- GetPaid
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of the GetPaid plugin for WordPress, particularly those with versions between n/a and 2.8.49, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and is classified under CWE-201. The vulnerability was published on June 15, 2026, and has not been modified since.
Defensive priority
HIGH
Recommended defensive actions
- Update GetPaid plugin to a version beyond 2.8.49
- Review and restrict access to sensitive data
Evidence notes
Evidence for this CVE comes from the National Vulnerability Database (NVD) and Patchstack.
Official resources
-
CVE-2026-49064 CVE record
CVE.org
-
CVE-2026-49064 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-49064 was published on June 15, 2026.