Skip to main content

GiveWP CVE-2026-34900

| EUVDEUVD-2026-36921 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-ccj6-3h2m-whv5
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS reachable over the network without authentication but needing a victim click; scope changes to the browser session, yielding low C/I/A impact on the user context.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:36 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in GiveWP <= 4.14.2 versions.

AnalysisAI

Unauthenticated reflected cross-site scripting in the GiveWP WordPress donation plugin (versions ≤4.14.2) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user clicks a crafted link. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36921; no public exploit identified at time of analysis, and the CVSS scope-change rating of 7.1 reflects potential session hijacking or administrative action abuse against logged-in WordPress users including site administrators.

Technical ContextAI

GiveWP (CPE cpe:2.3:a:liquid_web_/_stellarwp:givewp) is a widely deployed WordPress fundraising and donation plugin maintained by Liquid Web / StellarWP. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a reflected XSS pattern where attacker-controlled input from an HTTP request parameter is echoed back into a rendered page without adequate output encoding or input sanitization. Because WordPress plugins typically render output within the same origin as the site's admin dashboard, an XSS payload executes in the security context of whichever user follows the malicious link, including potential donors, editors, or administrators.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the supplied data - administrators should upgrade GiveWP to the latest release above 4.14.2 as published by StellarWP and verify the version via the WordPress plugin manager, consulting https://patchstack.com/database/wordpress/plugin/give/vulnerability/wordpress-givewp-plugin-4-14-2-reflected-cross-site-scripting-xss-vulnerability for the exact fixed build. As a compensating control until patched, deploy a WordPress-aware WAF rule (Patchstack, Wordfence, or Cloudflare managed rules) to filter reflected XSS payloads on GiveWP endpoints, restrict /wp-admin access by IP allowlist to reduce administrator exposure to phishing links, and enforce a strict Content-Security-Policy that disallows inline script execution - noting that strict CSP may break legitimate GiveWP donation widgets and requires testing on a staging site.

More in Givewp

View all
CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2024-5932 CRITICAL POC
9.8 Aug 20

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2025-0912 CRITICAL
9.8 Mar 04

The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.

CVE-2022-2260 MEDIUM POC
6.5 Aug 01

The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exp

CVE-2022-0252 MEDIUM POC
6.1 Feb 21

The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute i

CVE-2021-24213 MEDIUM POC
6.1 Apr 12

The GiveWP - Donation Plugin and Fundraising Platform WordPress plugin before 2.10.0 was affected by a reflected Cross-S

CVE-2019-9909 MEDIUM POC
6.1 Mar 22

The "Donation Plugin and Fundraising Platform" plugin before 2.3.1 for WordPress has wp-admin/edit.php csv XSS. Rated me

CVE-2024-9634 CRITICAL
9.8 Oct 16

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2024-37099 CRITICAL
9.8 Aug 19

Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.14.1. Rated critical severi

CVE-2019-13578 CRITICAL
9.8 Aug 15

A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Rated critical sever

CVE-2019-15317 MEDIUM POC
5.4 Aug 22

The give plugin before 2.4.7 for WordPress has XSS via a donor name. Rated medium severity (CVSS 5.4), this vulnerabilit

CVE-2020-20627 MEDIUM POC
5.3 Aug 31

The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauth

Share

CVE-2026-34900 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy