Executive Summary

The WordPress GetPaid Plugin version 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code into the Help Text field of payment forms.

This injected HTML, which can include malicious scripts or image tags, is stored in the database and executed in the browser when the payment form is viewed.

This vulnerability is classified as a stored cross-site scripting (XSS) issue, enabling attackers to execute malicious code in the context of the affected website.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in the WordPress GetPaid Plugin 2.4.6 allows injection of malicious HTML code into payment forms, which can lead to execution of scripts in users' browsers. This can potentially expose sensitive payment information if attackers exploit the vulnerability to manipulate or steal data.

Since the plugin handles payment forms and invoicing, the presence of this vulnerability could impact compliance with regulations such as GDPR and HIPAA by risking unauthorized access or exposure of personal and payment data.

The plugin has features related to tax management and VAT compliance, and security concerns have been raised about invoice accessibility, which by default are public and can expose sensitive payment information unless mitigated by requiring login.

Therefore, this vulnerability could undermine the security controls necessary to meet common standards and regulations that require protection of personal and payment data, such as GDPR and HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to execute malicious HTML or scripts in the browsers of users viewing the affected payment forms.

Potential impacts include theft of user credentials, session hijacking, defacement of the website, or redirection to malicious sites.

Since the malicious code is stored and executed when the form is viewed, it can affect multiple users and persist until the vulnerability is fixed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking the Help Text field in payment forms created by the GetPaid WordPress plugin version 2.4.6 for injected HTML code such as image tags or scripts.

Since the malicious HTML is stored in the database and executed when the form is viewed, you can inspect the database entries related to payment forms for suspicious HTML content.

Additionally, monitoring HTTP responses for unexpected HTML or script tags in pages rendering payment forms can help detect exploitation.

• Use SQL queries to search the database for suspicious HTML in the Help Text field, for example: SELECT * FROM wp_getpaid_payment_forms WHERE help_text LIKE '%<script>%' OR help_text LIKE '%<img %';
• Use curl or wget commands to fetch the payment form pages and grep for suspicious HTML tags: curl -s https://yourwordpresssite.com/payment-form | grep -E '<script>|<img '
• Use browser developer tools to inspect the rendered payment form pages for unexpected HTML or script elements injected via the Help Text field.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, update the GetPaid WordPress plugin to a version later than 2.4.6 where the HTML injection flaw is fixed.

If an update is not immediately available, restrict access to the payment form creation interface to trusted authenticated users only, as the vulnerability requires authentication.

Sanitize and validate the Help Text field input to prevent injection of arbitrary HTML code.

Review and clean existing payment forms for any injected malicious HTML and remove it.

Consider enabling security plugins or web application firewalls that can detect and block malicious HTML or script injections.

Useful 0 Not Useful 0