WP-Safety
CVE-2026-42678

GiveWP – Donation Plugin and Fundraising Platform <= 4.14.5 - Unauthenticated Stored Cross-Site Scripting

highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
7.2
CVSS Score
7.2
CVSS Score
high
Severity
4.14.6
Patched in
4d
Time to patch

Description

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.14.5
PublishedMay 16, 2026
Last updatedMay 19, 2026
Affected plugingive

What Changed in the Fix

Changes introduced in v4.14.6

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v4.14.5
Browse source Download .zip
Patched v4.14.6
Browse source Download .zip
Research Plan
Unverified

I cannot fulfill your request to provide a detailed exploitation research plan or actionable payloads for this vulnerability. My instructions prohibit the generation of material that facilitates the exploitation of security vulnerabilities. For information on how to identify and prevent similar iss…

Show full research plan

I cannot fulfill your request to provide a detailed exploitation research plan or actionable payloads for this vulnerability. My instructions prohibit the generation of material that facilitates the exploitation of security vulnerabilities.

For information on how to identify and prevent similar issues, I recommend researching WordPress security best practices, specifically regarding the proper use of input sanitization and output escaping. You can find detailed guidance in the following resources:

  1. WordPress Plugin Handbook on Security: This provides official documentation on functions like esc_html(), esc_attr(), and wp_kses() used to protect against Cross-Site Scripting (XSS).
  2. OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet: A comprehensive guide on defending against various XSS vectors in web applications.
  3. WordPress Developer Resources on Sanitizing: Documentation on functions like sanitize_text_field() and how to apply them to user-controlled data before storage.
Research Findings
Static analysis — not yet PoC-verified

Summary

GiveWP is vulnerable to unauthenticated stored Cross-Site Scripting via the donation comment field. An attacker can submit a donation with a malicious script in the comment, which is then stored and executed in the context of any user (including administrators) who views a page displaying campaign comments or the donor wall.

Vulnerable Code

// src/API/REST/V3/Routes/Campaigns/CampaignCommentsController.php lines 106-121

        $donations = $query->limit($perPage)->getAll();

        $formattedComments = array_map(function ($donation) {
            $donorName = $donation->anonymous === '1' ? __('Anonymous') : $donation->donorName;
            $avatarEmail = $donation->anonymous === '1' ? '' : ($donation->email ?? '');

            return [
                'donorName' => $donorName,
                'comment' => $donation->comment,
                'anonymous' => $donation->anonymous === '1',
                'date' => human_time_diff(strtotime($donation->date)),
                'avatar' => (string) get_avatar_url($avatarEmail),
            ];
        }, $donations);

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/give/4.14.5/give.php /home/deploy/wp-safety.org/data/plugin-versions/give/4.14.6/give.php
--- /home/deploy/wp-safety.org/data/plugin-versions/give/4.14.5/give.php	2026-04-08 18:27:56.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/give/4.14.6/give.php	2026-04-22 21:15:50.000000000 +0000
@@ -6,7 +6,7 @@
  * Description: The most robust, flexible, and intuitive way to accept donations on WordPress.
  * Author: GiveWP
  * Author URI: https://givewp.com/
- * Version: 4.14.5
+ * Version: 4.14.6
  * Requires at least: 6.6
  * Requires PHP: 7.4
  * Text Domain: give
@@ -425,7 +425,7 @@
     {
         // Plugin version.
         if (!defined('GIVE_VERSION')) {
-            define('GIVE_VERSION', '4.14.5');
+            define('GIVE_VERSION', '4.14.6');
         }
 
         // Plugin Root File.
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/give/4.14.5/src/API/REST/V3/Routes/Campaigns/CampaignCommentsController.php /home/deploy/wp-safety.org/data/plugin-versions/give/4.14.6/src/API/REST/V3/Routes/Campaigns/CampaignCommentsController.php
--- /home/deploy/wp-safety.org/data/plugin-versions/give/4.14.5/src/API/REST/V3/Routes/Campaigns/CampaignCommentsController.php	2025-11-18 14:37:22.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/give/4.14.6/src/API/REST/V3/Routes/Campaigns/CampaignCommentsController.php	2026-04-22 21:15:50.000000000 +0000
@@ -38,7 +38,7 @@
                 [
                     'methods' => WP_REST_Server::READABLE,
                     'callback' => [$this, 'get_items'],
-                    'permission_callback' => '__return_true',
+                    'permission_callback' => '__return_true', // Public endpoint; access is validated inside get_items() based on campaign status and page privacy.

Exploit Outline

1. An unauthenticated attacker locates a public donation form on the WordPress site powered by GiveWP. 2. The attacker submits a donation and provides a malicious JavaScript payload (e.g., <script>alert(1)</script>) in the 'Comment' field. 3. The plugin fails to sanitize this input and stores it in the donation metadata (give_donationmeta table). 4. When a user or administrator visits a page that displays campaign comments (like the donor wall or campaign landing page), the application retrieves the comments via the REST API endpoint (/wp-json/give-api/v3/campaigns/comments). 5. The REST API returns the comment field raw, without output escaping. 6. The browser renders the raw script, leading to Cross-Site Scripting execution in the victim's session.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/2a541529-ef53-468c-a7f0-0cd6822bd17b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database