Stored Cross-Site Scripting Vulnerability in GiveWP Donation Plugin for WordPress
CVE-2026-14987

6.4MEDIUM

What is CVE-2026-14987?

The GiveWP Donation Plugin for WordPress is susceptible to a Stored Cross-Site Scripting (XSS) attack via the 'twitter_message' Sequoia Template Setting. This vulnerability arises from inadequate input sanitization and output escaping present in all versions up to and including 4.16.3. Authenticated attackers with give worker-level access or higher can exploit this weakness to inject malicious scripts into pages. The dangerous part is that these scripts activate when a user clicks the Share on Twitter button on the Sequoia donation confirmation view, executing the unencoded twitter_message value in a JavaScript template literal.

Affected Version(s)

GiveWP – Donation Plugin and Fundraising Platform 0 <= 4.16.3

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

FeDEX
skyv3il
Chirita Catalin-Andrei (CC99IE)
AmonRa
MrProperCTF
.