CVE-2021-47948 Wordpress CVE debrief

Who should care

WordPress site administrators, security teams, and anyone operating the GetPaid plugin should review this issue, especially if users beyond a tightly controlled admin group can create or edit payment forms.

Technical summary

The supplied record describes an authenticated input-handling flaw in the Help Text field for payment forms in GetPaid 2.4.6. Injected HTML is stored in the database and then rendered back to viewers of the form, and the NVD metadata maps the issue to CWE-80. NVD also lists the vulnerability as medium severity with a CVSS v4 score of 5.1.

Defensive priority

Medium priority. If the GetPaid plugin is in use, review it promptly because the issue can affect form content seen by end users, but the supplied data does not indicate wormable behavior, unauthenticated access, or KEV inclusion.

Recommended defensive actions

• Confirm whether WordPress sites use the GetPaid plugin and specifically version 2.4.6 or other affected releases.
• Upgrade to a vendor-fixed version if one is available from the plugin maintainer; if no fix is available, consider disabling or removing the plugin until remediation is confirmed.
• Restrict who can create or edit payment forms and review existing permissions for the Help Text field.
• Audit stored Help Text entries for unexpected HTML, script tags, or other untrusted markup and remove anything suspicious.
• If custom code or extensions render this field, ensure output is properly sanitized or encoded before display.

Evidence notes

The supplied corpus ties this CVE to the WordPress GetPaid plugin and states that authenticated attackers can inject arbitrary HTML through the Help Text field in payment forms. The vulnerability is categorized as CWE-80 in the NVD metadata and carries a CVSS v4 base score of 5.1. The timeline provided with the source places the CVE/NVD publication and modification context on 2026-05-10, and no KEV entry is present in the supplied data.

Official resources