Getpaid
Monthly
Sensitive information disclosure in the GetPaid WordPress plugin (also known as Invoicing, by Stiofan) through version 2.8.49 allows remote unauthenticated attackers to retrieve embedded sensitive data via responses sent by the plugin. The flaw is classified as CWE-201 and was reported by Patchstack; no public exploit identified at time of analysis, but the network-reachable, no-auth, no-interaction CVSS profile makes opportunistic discovery plausible on exposed WordPress sites.
In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Sensitive information disclosure in the GetPaid WordPress plugin (also known as Invoicing, by Stiofan) through version 2.8.49 allows remote unauthenticated attackers to retrieve embedded sensitive data via responses sent by the plugin. The flaw is classified as CWE-201 and was reported by Patchstack; no public exploit identified at time of analysis, but the network-reachable, no-auth, no-interaction CVSS profile makes opportunistic discovery plausible on exposed WordPress sites.
In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.