Stored Cross-Site Scripting Vulnerability in GiveWP Donation Plugin
CVE-2026-13704

6.4MEDIUM

What is CVE-2026-13704?

The GiveWP Donation Plugin for WordPress is exposed to a stored cross-site scripting vulnerability through the 'sequoia[introduction][image]' parameter. This flaw arises from inadequate input sanitization and output escaping, allowing authenticated users with Give Worker-level access or higher to inject malicious web scripts. These scripts execute when users access the compromised pages, potentially leading to unauthorized access or data manipulation.

Affected Version(s)

GiveWP – Donation Plugin and Fundraising Platform 0 <= 4.16.1

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chirita Catalin-Andrei (CC99IE)
.