Skip to main content

Givewp Donation Plugin And Fundraising Platform

3 CVEs product

Monthly

CVE-2026-14987 MEDIUM This Month

Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the Wordfence disclosure includes direct source code references confirming the unsanitized evaluation path.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD VulDB
CVSS 3.1
6.4
CVE-2026-11981 MEDIUM This Month

Cross-Site Request Forgery in GiveWP - Donation Plugin and Fundraising Platform (versions up to and including 4.15.3) allows unauthenticated remote attackers to disable donation email notifications by tricking a logged-in administrator into clicking a crafted link. The root cause is absent nonce validation in the give_set_notification_status_handler() AJAX handler, permitting forged state-changing requests. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog; however, the integrity impact - silently disabling donation notifications - could cause operational blind spots for nonprofit or fundraising site operators.

WordPress CSRF Givewp Donation Plugin And Fundraising Platform
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13246 MEDIUM This Month

Stored Cross-Site Scripting in GiveWP versions up to and including 4.16.0 allows authenticated attackers with author-level WordPress access to inject persistent JavaScript payloads via the 'block_id' attribute of the 'givewp_campaign_comments' shortcode. The flaw originates in two code paths - CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render() - where the blockId value is interpolated directly into a single-quoted HTML attribute without WordPress's esc_attr() sanitization function. Any visitor loading an injected page will have the malicious script execute in their browser context. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVSS 6.4
MEDIUM This Month

Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the Wordfence disclosure includes direct source code references confirming the unsanitized evaluation path.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in GiveWP - Donation Plugin and Fundraising Platform (versions up to and including 4.15.3) allows unauthenticated remote attackers to disable donation email notifications by tricking a logged-in administrator into clicking a crafted link. The root cause is absent nonce validation in the give_set_notification_status_handler() AJAX handler, permitting forged state-changing requests. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog; however, the integrity impact - silently disabling donation notifications - could cause operational blind spots for nonprofit or fundraising site operators.

WordPress CSRF Givewp Donation Plugin And Fundraising Platform
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in GiveWP versions up to and including 4.16.0 allows authenticated attackers with author-level WordPress access to inject persistent JavaScript payloads via the 'block_id' attribute of the 'givewp_campaign_comments' shortcode. The flaw originates in two code paths - CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render() - where the blockId value is interpolated directly into a single-quoted HTML attribute without WordPress's esc_attr() sanitization function. Any visitor loading an injected page will have the malicious script execute in their browser context. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy