Stored Cross-Site Scripting Vulnerability in GiveWP Donation Plugin for WordPress
CVE-2026-14987
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 16 July 2026
What is CVE-2026-14987?
The GiveWP Donation Plugin for WordPress is susceptible to a Stored Cross-Site Scripting (XSS) attack via the 'twitter_message' Sequoia Template Setting. This vulnerability arises from inadequate input sanitization and output escaping present in all versions up to and including 4.16.3. Authenticated attackers with give worker-level access or higher can exploit this weakness to inject malicious scripts into pages. The dangerous part is that these scripts activate when a user clicks the Share on Twitter button on the Sequoia donation confirmation view, executing the unencoded twitter_message value in a JavaScript template literal.
Affected Version(s)
GiveWP β Donation Plugin and Fundraising Platform 0 <= 4.16.3
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved