Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
UI:R corrects the provided UI:N because donor must actively click Share on Twitter; PR:L retained for required give worker authentication; S:C retained for cross-browser-boundary impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'twitter_message' Sequoia Template Setting in all versions up to, and including, 4.16.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with give worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected script executes specifically when a donor clicks the Share on Twitter button on the Sequoia donation confirmation view, as that is when the unescaped twitter_message value is evaluated inside the JavaScript template literal.
AnalysisAI
Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold an authenticated WordPress account with give worker-level role or higher - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) warrants scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with give worker-level credentials logs into the WordPress admin dashboard and navigates to the Sequoia template settings for a donation form, injecting a JavaScript payload into the twitter_message field - for example, breaking out of the template literal to steal the donor's session cookie or redirect them to a phishing page. A donor then completes a donation, sees the Sequoia confirmation screen, and clicks the 'Share on Twitter' button, at which point the unescaped template literal evaluates the attacker-controlled value and executes the script in the donor's browser context. … |
| Remediation | Update GiveWP to a version later than 4.16.3; a fix commit is available in the WordPress plugin SVN repository at https://plugins.trac.wordpress.org/changeset?reponame=&old=3607718%40give&new=3607718%40give, though an independently confirmed patched release version number (e.g., 4.16.4) is not explicitly stated in the available references - verify the exact patched release via the WordPress plugin repository or the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/bdd0ba4b-56f1-4f4b-95f7-28c911c8de09. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored Cross-Site Scripting in GiveWP versions up to and including 4.16.0 allows authenticated attackers with author-lev
Cross-Site Request Forgery in GiveWP - Donation Plugin and Fundraising Platform (versions up to and including 4.15.3) al
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44859
GHSA-v6f8-q5jg-rg7r