Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liquid Web / StellarWP GiveWP allows DOM-Based XSS.
This issue affects GiveWP: from n/a through 4.14.5.
AnalysisAI
DOM-based cross-site scripting in the GiveWP WordPress donation plugin (versions up to and including 4.14.5) allows remote attackers to execute arbitrary JavaScript in a victim's browser session after the victim interacts with an attacker-supplied link or page element. The flaw carries a CVSS 7.1 score driven by changed scope (S:C), meaning impact extends beyond the vulnerable component into the surrounding WordPress site context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
GiveWP is a widely deployed WordPress donation/fundraising plugin maintained by Liquid Web / StellarWP, identified by CPE cpe:2.3:a:liquid_web_/_stellarwp:givewp. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a DOM-based variant where untrusted input flows through client-side JavaScript sinks (e.g., innerHTML, document.write, jQuery .html()) without proper neutralization. Unlike reflected or stored XSS, DOM-based XSS executes entirely in the browser when client-side script reads attacker-controllable values (URL fragments, query parameters, postMessage data) and injects them into the DOM, meaning the payload may never appear in server logs.
RemediationAI
Upgrade GiveWP to a version newer than 4.14.5 once StellarWP publishes a fixed release; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/give/vulnerability/wordpress-givewp-plugin-4-14-5-cross-site-scripting-xss-vulnerability and the StellarWP changelog for the exact patched build, as no vendor-released patched version was independently confirmed in the available data. As compensating controls until a patch is applied, deploy a strict Content-Security-Policy header that disables inline script and restricts script-src to trusted origins (note this can break legitimate plugin functionality and must be tested), enable a WordPress-aware WAF such as Patchstack, Wordfence, or Sucuri with virtual-patching for this CVE, restrict /wp-admin access by IP to limit exposure of authenticated administrators to malicious links, and instruct site administrators to avoid clicking GiveWP-related URLs from untrusted sources until the upgrade is completed.
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.
The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exp
The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute i
The GiveWP - Donation Plugin and Fundraising Platform WordPress plugin before 2.10.0 was affected by a reflected Cross-S
The "Donation Plugin and Fundraising Platform" plugin before 2.3.1 for WordPress has wp-admin/edit.php csv XSS. Rated me
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.14.1. Rated critical severi
A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Rated critical sever
The give plugin before 2.4.7 for WordPress has XSS via a donor name. Rated medium severity (CVSS 5.4), this vulnerabilit
The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauth
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33684
GHSA-6rpm-7x8w-42p8