Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Author-level authentication (PR:L) is required; stored payload executes on any visitor without further attacker action (UI:N); scope change (S:C) reflects cross-user browser impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_id' (and other) shortcode attributes of the 'givewp_campaign_comments' shortcode in versions up to, and including, 4.16.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render(), where the blockId value is interpolated directly into a single-quoted HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in GiveWP versions up to and including 4.16.0 allows authenticated attackers with author-level WordPress access to inject persistent JavaScript payloads via the 'block_id' attribute of the 'givewp_campaign_comments' shortcode. The flaw originates in two code paths - CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render() - where the blockId value is interpolated directly into a single-quoted HTML attribute without WordPress's esc_attr() sanitization function. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with author-level access or higher (PR:L in CVSS terms). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects a medium-severity stored XSS with changed scope, consistent with persistent cross-user impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a WordPress author account on a GiveWP-powered site creates or edits a post or page containing the givewp_campaign_comments shortcode and sets the block_id attribute to a value that breaks out of the single-quoted HTML attribute context, embedding a script tag. The payload is stored server-side and executes in the browser of every visitor who loads that page, enabling session cookie theft, credential harvesting overlays, or unauthorized actions on behalf of the victim. … |
| Remediation | A fix is available via WordPress plugin Trac changeset 3590193 (https://plugins.trac.wordpress.org/changeset?old=3590193%40give&new=3590193%40give), which represents an upstream code correction. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject
Cross-Site Request Forgery in GiveWP - Donation Plugin and Fundraising Platform (versions up to and including 4.15.3) al
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40888
GHSA-mv65-r2jq-jh8q