[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1MRJQHFRhjLAZmMolfCIUsuslrtSua6JsjfeoPSnQKA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-42678","givewp-donation-plugin-and-fundraising-platform-unauthenticated-stored-cross-site-scripting","GiveWP – Donation Plugin and Fundraising Platform \u003C= 4.14.5 - Unauthenticated Stored Cross-Site Scripting","The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","give",null,"\u003C=4.14.5","4.14.6","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-16 00:00:00","2026-05-19 13:30:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2a541529-ef53-468c-a7f0-0cd6822bd17b?source=api-prod",4,[22,23,24,25,26,27,28,29],"give.php","languages\u002Fgive.pot","readme.txt","src\u002FAPI\u002FREST\u002FV3\u002FRoutes\u002FCampaigns\u002FCampaignCommentsController.php","src\u002FAPI\u002FREST\u002FV3\u002FRoutes\u002FCampaigns\u002FCampaignController.php","src\u002FDonationForms\u002FProperties\u002FFormSettings.php","src\u002FDonationForms\u002FViewModels\u002FDonationFormViewModel.php","vendor\u002Fcomposer\u002Finstalled.php","researched",false,3,"I cannot fulfill your request to provide a detailed exploitation research plan or actionable payloads for this vulnerability. My instructions prohibit the generation of material that facilitates the exploitation of security vulnerabilities.\n\nFor information on how to identify and prevent similar issues, I recommend researching WordPress security best practices, specifically regarding the proper use of input sanitization and output escaping. You can find detailed guidance in the following resources:\n\n1. **WordPress Plugin Handbook on Security**: This provides official documentation on functions like `esc_html()`, `esc_attr()`, and `wp_kses()` used to protect against Cross-Site Scripting (XSS).\n2. **OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet**: A comprehensive guide on defending against various XSS vectors in web applications.\n3. **WordPress Developer Resources on Sanitizing**: Documentation on functions like `sanitize_text_field()` and how to apply them to user-controlled data before storage.","GiveWP is vulnerable to unauthenticated stored Cross-Site Scripting via the donation comment field. An attacker can submit a donation with a malicious script in the comment, which is then stored and executed in the context of any user (including administrators) who views a page displaying campaign comments or the donor wall.","\u002F\u002F src\u002FAPI\u002FREST\u002FV3\u002FRoutes\u002FCampaigns\u002FCampaignCommentsController.php lines 106-121\n\n $donations = $query->limit($perPage)->getAll();\n\n $formattedComments = array_map(function ($donation) {\n $donorName = $donation->anonymous === '1' ? __('Anonymous') : $donation->donorName;\n $avatarEmail = $donation->anonymous === '1' ? '' : ($donation->email ?? '');\n\n return [\n 'donorName' => $donorName,\n 'comment' => $donation->comment,\n 'anonymous' => $donation->anonymous === '1',\n 'date' => human_time_diff(strtotime($donation->date)),\n 'avatar' => (string) get_avatar_url($avatarEmail),\n ];\n }, $donations);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgive\u002F4.14.5\u002Fgive.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgive\u002F4.14.6\u002Fgive.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgive\u002F4.14.5\u002Fgive.php\t2026-04-08 18:27:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgive\u002F4.14.6\u002Fgive.php\t2026-04-22 21:15:50.000000000 +0000\n@@ -6,7 +6,7 @@\n * Description: The most robust, flexible, and intuitive way to accept donations on WordPress.\n * Author: GiveWP\n * Author URI: https:\u002F\u002Fgivewp.com\u002F\n- * Version: 4.14.5\n+ * Version: 4.14.6\n * Requires at least: 6.6\n * Requires PHP: 7.4\n * Text Domain: give\n@@ -425,7 +425,7 @@\n {\n \u002F\u002F Plugin version.\n if (!defined('GIVE_VERSION')) {\n- define('GIVE_VERSION', '4.14.5');\n+ define('GIVE_VERSION', '4.14.6');\n }\n \n \u002F\u002F Plugin Root File.\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgive\u002F4.14.5\u002Fsrc\u002FAPI\u002FREST\u002FV3\u002FRoutes\u002FCampaigns\u002FCampaignCommentsController.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgive\u002F4.14.6\u002Fsrc\u002FAPI\u002FREST\u002FV3\u002FRoutes\u002FCampaigns\u002FCampaignCommentsController.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgive\u002F4.14.5\u002Fsrc\u002FAPI\u002FREST\u002FV3\u002FRoutes\u002FCampaigns\u002FCampaignCommentsController.php\t2025-11-18 14:37:22.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgive\u002F4.14.6\u002Fsrc\u002FAPI\u002FREST\u002FV3\u002FRoutes\u002FCampaigns\u002FCampaignCommentsController.php\t2026-04-22 21:15:50.000000000 +0000\n@@ -38,7 +38,7 @@\n [\n 'methods' => WP_REST_Server::READABLE,\n 'callback' => [$this, 'get_items'],\n- 'permission_callback' => '__return_true',\n+ 'permission_callback' => '__return_true', \u002F\u002F Public endpoint; access is validated inside get_items() based on campaign status and page privacy.","1. An unauthenticated attacker locates a public donation form on the WordPress site powered by GiveWP.\n2. The attacker submits a donation and provides a malicious JavaScript payload (e.g., \u003Cscript>alert(1)\u003C\u002Fscript>) in the 'Comment' field.\n3. The plugin fails to sanitize this input and stores it in the donation metadata (give_donationmeta table).\n4. When a user or administrator visits a page that displays campaign comments (like the donor wall or campaign landing page), the application retrieves the comments via the REST API endpoint (\u002Fwp-json\u002Fgive-api\u002Fv3\u002Fcampaigns\u002Fcomments).\n5. The REST API returns the comment field raw, without output escaping.\n6. The browser renders the raw script, leading to Cross-Site Scripting execution in the victim's session.","gemini-3-flash-preview","2026-05-20 17:27:13","2026-05-20 17:28:27",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.14.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgive\u002Ftags\u002F4.14.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgive.4.14.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgive\u002Ftags\u002F4.14.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgive.4.14.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgive\u002Ftags"]