WordPress GetPaid Plugin HTML Injection Vulnerability

A HTML injection vulnerability has been identified in the WordPress GetPaid Plugin version 2.4.6. This vulnerability allows authenticated attackers to inject arbitrary HTML, including image tags and scripts, by exploiting the Help Text field in payment forms. The injected HTML is stored in the database and executed in the browser when the form is viewed.

Impact

Exploitation of this vulnerability allows for HTML injection, which could be used to execute scripts in the context of the user viewing the form, potentially leading to cross-site scripting (XSS)

Reproduction

To reproduce this vulnerability, install WordPress version 5.8 and activate the GetPaid Plugin version 2.4.6. Navigate to the Payment Forms section and create a new form. In the Help Text field, inject HTML code, such as an image tag. Once the form is saved, the injected HTML will be executed when the form is viewed.