Skip to main content

GiveWP Plugin CVE-2026-14987

| EUVDEUVD-2026-44859 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-16 Wordfence GHSA-v6f8-q5jg-rg7r
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

UI:R corrects the provided UI:N because donor must actively click Share on Twitter; PR:L retained for required give worker authentication; S:C retained for cross-browser-boundary impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 03:47 vuln.today
CVE Published
Jul 16, 2026 - 02:30 cve.org
MEDIUM 6.4

DescriptionCVE.org

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'twitter_message' Sequoia Template Setting in all versions up to, and including, 4.16.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with give worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected script executes specifically when a donor clicks the Share on Twitter button on the Sequoia donation confirmation view, as that is when the unescaped twitter_message value is evaluated inside the JavaScript template literal.

AnalysisAI

Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as give worker
Delivery
Inject XSS payload into twitter_message template setting
Exploit
Donor completes Sequoia donation form
Execution
Donor clicks Share on Twitter button
Persist
Template literal evaluates unescaped payload
Impact
Malicious script executes in donor's browser

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold an authenticated WordPress account with give worker-level role or higher - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) warrants scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with give worker-level credentials logs into the WordPress admin dashboard and navigates to the Sequoia template settings for a donation form, injecting a JavaScript payload into the twitter_message field - for example, breaking out of the template literal to steal the donor's session cookie or redirect them to a phishing page. A donor then completes a donation, sees the Sequoia confirmation screen, and clicks the 'Share on Twitter' button, at which point the unescaped template literal evaluates the attacker-controlled value and executes the script in the donor's browser context. …
Remediation Update GiveWP to a version later than 4.16.3; a fix commit is available in the WordPress plugin SVN repository at https://plugins.trac.wordpress.org/changeset?reponame=&old=3607718%40give&new=3607718%40give, though an independently confirmed patched release version number (e.g., 4.16.4) is not explicitly stated in the available references - verify the exact patched release via the WordPress plugin repository or the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/bdd0ba4b-56f1-4f4b-95f7-28c911c8de09. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14987 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy