Skip to main content

GiveWP CVE-2026-13246

| EUVDEUVD-2026-40888 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 Wordfence GHSA-mv65-r2jq-jh8q
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Author-level authentication (PR:L) is required; stored payload executes on any visitor without further attacker action (UI:N); scope change (S:C) reflects cross-user browser impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:29 vuln.today
CVE Published
Jul 01, 2026 - 03:43 nvd
MEDIUM 6.4

DescriptionCVE.org

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_id' (and other) shortcode attributes of the 'givewp_campaign_comments' shortcode in versions up to, and including, 4.16.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render(), where the blockId value is interpolated directly into a single-quoted HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in GiveWP versions up to and including 4.16.0 allows authenticated attackers with author-level WordPress access to inject persistent JavaScript payloads via the 'block_id' attribute of the 'givewp_campaign_comments' shortcode. The flaw originates in two code paths - CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render() - where the blockId value is interpolated directly into a single-quoted HTML attribute without WordPress's esc_attr() sanitization function. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain WordPress author credentials
Delivery
Craft block_id attribute with XSS payload
Exploit
Insert givewp_campaign_comments shortcode into post or page
Install
Publish or update content
C2
Victim visits injected page
Execute
Stored script executes in victim's browser
Impact
Session token or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with author-level access or higher (PR:L in CVSS terms). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects a medium-severity stored XSS with changed scope, consistent with persistent cross-user impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a WordPress author account on a GiveWP-powered site creates or edits a post or page containing the givewp_campaign_comments shortcode and sets the block_id attribute to a value that breaks out of the single-quoted HTML attribute context, embedding a script tag. The payload is stored server-side and executes in the browser of every visitor who loads that page, enabling session cookie theft, credential harvesting overlays, or unauthorized actions on behalf of the victim. …
Remediation A fix is available via WordPress plugin Trac changeset 3590193 (https://plugins.trac.wordpress.org/changeset?old=3590193%40give&new=3590193%40give), which represents an upstream code correction. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy