CVE-2021-24369

Name of the Vulnerable Software and Affected Versions GetPaid WordPress plugin versions prior to 2.3.4

Description The issue concerns the GetPaid WordPress plugin, where users with the contributor role and above can create a new Payment Form. However, the Label and Help Text input fields were not properly sanitized, allowing the injection of malicious content such as img tags. This leads to a Stored Cross-Site Scripting issue, which is triggered when the form is edited, for example, when an admin reviews it, and could lead to privilege escalation.

Recommendations For versions prior to 2.3.4, update to version 2.3.4 or later to resolve the issue. As a temporary workaround, consider restricting the ability of users with the contributor role and above to create new Payment Forms until the update is applied. Additionally, restrict access to the Label and Help Text input fields to minimize the risk of exploitation.