CVE-2026-49064: WordPress GetPaid plugin <= 2.8.49 - Sensitive Data Exposure vulnerability
Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data. This issue affects GetPaid: from n/a through 2.8.49.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A sensitive data exposure vulnerability affects the GetPaid WordPress plugin at version 2.8.49 and below. The flaw is reachable over the network with no authentication required and no user interaction needed, meaning any remote party can trigger it. Successful exploitation allows an attacker to retrieve sensitive information embedded in data sent by the plugin. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection capability for CVE-2026-49064 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds including Patchstack. This coverage extends to custom-built images that bundle the GetPaid plugin, not only images pulled from public registries.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and weighting it against each customer environment's compliance policy to determine urgency. Routed findings surface in the inbox configured for the relevant team within each customer organization.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Stiofan ships a corrected release. In the meantime, findings remain open and visible in each customer's vulnerability dashboard so teams can apply compensating controls.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress instance via standard HTTP/HTTPS.
- AuthenticationNot required
No account or session credential is needed; the vulnerability is triggerable by any unauthenticated remote request.
- Victim interactionNot required
No user action such as clicking a link or visiting a page is required to trigger the data exposure.
- Attack complexityDetail
Exploitation is reliable and condition-free with no race conditions or special environmental factors required (AC:L).
Blast Radius
- An unauthenticated attacker can retrieve sensitive information embedded in data transmitted by the GetPaid plugin, which may include payment-related details, order metadata, or customer records depending on site configuration.
- Exposed data can be harvested passively at scale, since no authentication barrier limits who can send the triggering request.
- Confidentiality of information handled by the plugin is fully compromised (C:H); data integrity and service availability are not directly affected by this vulnerability.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-49064 is active across customer environments, matching any image that bundles GetPaid at or below version 2.8.49. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix version is published. Until then, recommended compensating controls include restricting external network access to the WordPress instance via network policy, applying egress filtering to limit data exfiltration paths, and auditing what sensitive fields the plugin includes in outbound responses. Customers with auto-remediation enabled will have a rebuilt image, regression-test run, and a PR opened against affected workloads automatically once an upstream fix is available.
- Stiofan / GetPaid≤ 2.8.49
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N