CVE-2021-24369

CVE-2021-24369: GetPaid < 2.3.4 - Authenticated Stored XSS

Vendor Ayecode Ltd

Product WordPress Payments Plugin | GetPaid

Weakness CWE-79 · XSS

Published June 21, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is triggered when the form will be edited, for example when an admin reviews it and could lead to privilege escalation.

Key dates

02Disclosure timeline

June 21, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24369 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2021-32764 YouTube Onebox susceptible to XSS CVE-2025-53822 WeGIA vulnerable to Reflected Cross-Site Scripting in endpoint 'relatorio_geracao.php' parameter 'tipo_relatorio' CVE-2025-31597 WordPress Ultimate Live Cricket WordPress Lite plugin <= 1.4.2 - Cross Site Scripting (XSS) vulnerability CVE-2023-0038 Survey Maker – Best WordPress Survey Plugin <= 3.1.3 - Unauthenticated Stored Cross-Site Scripting CVE-2022-2737 WP STAGING < 2.9.18 - Admin+ Stored Cross-Site Scripting