Stored Cross-Site Scripting Vulnerability in GiveWP Donation Plugin for WordPress
CVE-2026-13246

6.4MEDIUM

What is CVE-2026-13246?

The GiveWP Donation Plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping on user-supplied data in the 'givewp_campaign_comments' shortcode. Authenticated attackers, possessing author-level access or higher, can exploit this vulnerability to inject malicious scripts into pages. These scripts can execute whenever a user accesses the impacted page, potentially compromising user security and functionality.

Affected Version(s)

GiveWP – Donation Plugin and Fundraising Platform 0 <= 4.16.0

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

AmonRa
.