Skip to main content

GiveWP EUVDEUVD-2026-33684

| CVE-2026-42678 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-01 Patchstack GHSA-6rpm-7x8w-42p8
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 17:16 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liquid Web / StellarWP GiveWP allows DOM-Based XSS.

This issue affects GiveWP: from n/a through 4.14.5.

AnalysisAI

DOM-based cross-site scripting in the GiveWP WordPress donation plugin (versions up to and including 4.14.5) allows remote attackers to execute arbitrary JavaScript in a victim's browser session after the victim interacts with an attacker-supplied link or page element. The flaw carries a CVSS 7.1 score driven by changed scope (S:C), meaning impact extends beyond the vulnerable component into the surrounding WordPress site context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

GiveWP is a widely deployed WordPress donation/fundraising plugin maintained by Liquid Web / StellarWP, identified by CPE cpe:2.3:a:liquid_web_/_stellarwp:givewp. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a DOM-based variant where untrusted input flows through client-side JavaScript sinks (e.g., innerHTML, document.write, jQuery .html()) without proper neutralization. Unlike reflected or stored XSS, DOM-based XSS executes entirely in the browser when client-side script reads attacker-controllable values (URL fragments, query parameters, postMessage data) and injects them into the DOM, meaning the payload may never appear in server logs.

RemediationAI

Upgrade GiveWP to a version newer than 4.14.5 once StellarWP publishes a fixed release; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/give/vulnerability/wordpress-givewp-plugin-4-14-5-cross-site-scripting-xss-vulnerability and the StellarWP changelog for the exact patched build, as no vendor-released patched version was independently confirmed in the available data. As compensating controls until a patch is applied, deploy a strict Content-Security-Policy header that disables inline script and restricts script-src to trusted origins (note this can break legitimate plugin functionality and must be tested), enable a WordPress-aware WAF such as Patchstack, Wordfence, or Sucuri with virtual-patching for this CVE, restrict /wp-admin access by IP to limit exposure of authenticated administrators to malicious links, and instruct site administrators to avoid clicking GiveWP-related URLs from untrusted sources until the upgrade is completed.

More in Givewp

View all
CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2024-5932 CRITICAL POC
9.8 Aug 20

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2025-0912 CRITICAL
9.8 Mar 04

The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.

CVE-2022-2260 MEDIUM POC
6.5 Aug 01

The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exp

CVE-2022-0252 MEDIUM POC
6.1 Feb 21

The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute i

CVE-2021-24213 MEDIUM POC
6.1 Apr 12

The GiveWP - Donation Plugin and Fundraising Platform WordPress plugin before 2.10.0 was affected by a reflected Cross-S

CVE-2019-9909 MEDIUM POC
6.1 Mar 22

The "Donation Plugin and Fundraising Platform" plugin before 2.3.1 for WordPress has wp-admin/edit.php csv XSS. Rated me

CVE-2024-9634 CRITICAL
9.8 Oct 16

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2024-37099 CRITICAL
9.8 Aug 19

Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.14.1. Rated critical severi

CVE-2019-13578 CRITICAL
9.8 Aug 15

A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Rated critical sever

CVE-2019-15317 MEDIUM POC
5.4 Aug 22

The give plugin before 2.4.7 for WordPress has XSS via a donor name. Rated medium severity (CVSS 5.4), this vulnerabilit

CVE-2020-20627 MEDIUM POC
5.3 Aug 31

The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauth

Share

EUVD-2026-33684 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy