# Exploit Title: WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection # Date: 29/08/2021 # Exploit Author: Niraj Mahajan # Software Link: https://wordpress.org/plugins/invoicing/ # Version: 2.4.6 # Tested on Windows *Steps to Reproduce:* 1. Install Wordpress 5.8 2. Install and Activate "WordPress Payments Plugin | GetPaid" Version 2.4.6 3. Navigate to GetPaid > Payment Forms 4. Click on "Add New" in the Payment Form page 5. Add a title and Click on Billing Email 6. You can see the "Help Text" field on the left hand side. 7. Add the below HTML code into the "Help Text" Field. <img src=" https://www.pandasecurity.com/en/mediacenter/src/uploads/2019/07/pandasecurity-How-do-hackers-pick-their-targets.jpg" height="200px" width="200px"> 8. You will observe that the HTML code has successfully got stored into the database and executed successfully and we are getting an Image at the right hand side.