Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable WordPress endpoint, no auth or interaction required, leakage only affects confidentiality of embedded sensitive data with no integrity or availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data.
This issue affects GetPaid: from n/a through 2.8.49.
AnalysisAI
Sensitive information disclosure in the GetPaid WordPress plugin (also known as Invoicing, by Stiofan) through version 2.8.49 allows remote unauthenticated attackers to retrieve embedded sensitive data via responses sent by the plugin. The flaw is classified as CWE-201 and was reported by Patchstack; no public exploit identified at time of analysis, but the network-reachable, no-auth, no-interaction CVSS profile makes opportunistic discovery plausible on exposed WordPress sites.
Technical ContextAI
GetPaid (slug 'invoicing') is a WordPress plugin by Stiofan used for invoicing, payments, and paid content on WordPress sites, identified by CPE cpe:2.3:a:stiofan:getpaid:*. CWE-201 (Insertion of Sensitive Information Into Sent Data) means the application embeds data into outbound responses (HTML, JSON, headers, or API payloads) that the requester should not be authorized to see - typically caused by an endpoint or template returning fields beyond what the consumer needs, such as internal IDs, configuration values, customer/order metadata, tokens, or other backend state. In a WordPress plugin context this commonly manifests as a REST route, AJAX action (admin-ajax.php), shortcode render, or front-end view that leaks fields from invoices, customer records, or plugin settings without an authorization check on what is included in the response.
RemediationAI
No vendor-released patch identified at time of analysis from the supplied data - the Patchstack advisory marks the issue as affecting GetPaid up to and including 2.8.49 without naming a fixed release, so administrators should monitor the plugin's WordPress.org page and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/invoicing/vulnerability/wordpress-getpaid-plugin-2-8-49-sensitive-data-exposure-vulnerability) and upgrade to a release newer than 2.8.49 as soon as the maintainer publishes one. Until a fix ships, compensating controls include: deactivating the GetPaid/Invoicing plugin on sites that do not actively need it (trade-off: removes invoicing/payment UI and shortcodes); placing the WordPress admin and any GetPaid REST/AJAX endpoints behind a WAF rule or virtual patch - Patchstack provides one to subscribers - restricting access to the affected routes (trade-off: may block legitimate integrations until rules are tuned); restricting public access to wp-json/getpaid/* (or the plugin's specific REST namespace) and admin-ajax.php actions related to invoicing via web-server ACLs or authenticated reverse proxy (trade-off: can break front-end checkout flows that rely on those endpoints, so test before enforcing); and reviewing access and request logs for unusual GET/POST volume against invoice, customer, or settings endpoints to detect probing.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36724
GHSA-2fc2-fmg6-qjpw