CVE-2026-49064
Received Received - Intake
Sensitive Data Exposure in GetPaid

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: Patchstack

Description
Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data. This issue affects GetPaid: from n/a through 2.8.49.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-49064
EUVD
EUVD-2026-36724
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack getpaid From 2.8.0 (inc) to 2.8.49 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the WordPress GetPaid Plugin (version 2.8.49 and below) is a Sensitive Data Exposure issue. It allows unauthenticated attackers to retrieve embedded sensitive information that should normally be restricted. This means attackers can access confidential data without needing any permissions or authentication.

Impact Analysis

This vulnerability poses a high risk as attackers can access sensitive information, potentially leading to further exploitation of the system. It can be used in mass-exploit campaigns targeting many websites, regardless of their size or popularity. The exposure of sensitive data can compromise the security and privacy of your website and its users.

Mitigation Strategies

Immediate action is recommended to mitigate this vulnerability in the WordPress GetPaid Plugin versions 2.8.49 and below.

  • Update the GetPaid plugin to version 2.8.50 or later.
  • If updating is not possible, seek assistance from your hosting provider or web developer.
  • Apply the mitigation rule provided by Patchstack to block attacks until the plugin is updated.
Compliance Impact

The vulnerability in the WordPress GetPaid Plugin allows unauthenticated attackers to access sensitive information that is normally restricted. Exposure of sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate the protection of personal and sensitive information.

Because this vulnerability enables sensitive data exposure, organizations using affected versions of the plugin may be at risk of violating these regulations if the exposed data includes personal or protected health information.

Immediate remediation is recommended to reduce the risk of data breaches and maintain compliance.

Detection Guidance

The vulnerability in the WordPress GetPaid Plugin versions 2.8.49 and below allows unauthenticated attackers to access sensitive information. Detection can involve monitoring for unusual or unauthorized access attempts to the plugin endpoints that handle sensitive data.

Since the vulnerability involves sensitive data exposure via the plugin, one approach is to check web server logs for suspicious requests targeting the GetPaid plugin paths or parameters that might be used to retrieve embedded sensitive data.

Patchstack has provided a mitigation rule to block attacks until the plugin is updated, which may include specific signatures or firewall rules to detect exploit attempts.

However, no specific detection commands or scripts are provided in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart