CVE-2026-42678: DOM-Based XSS in GiveWP Plugin (Versions ≤4.14.5)
GiveWP, a popular WordPress donation and fundraising plugin maintained by Liquid Web/StellarWP, contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by site visitors. Unlike traditional XSS flaws, this vulnerability operates at the DOM (Document Object Model) level in the browser, meaning the attack payload is crafted and executed client-side rather than originating from the server. An attacker can trick a user into clicking a malicious link or visiting a compromised page, leading to credential theft, session hijacking, or unauthorized actions taken on behalf of the victim within the vulnerable GiveWP installation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liquid Web / StellarWP GiveWP allows DOM-Based XSS. This issue affects GiveWP: from n/a through 4.14.5.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is a DOM-based cross-site scripting vulnerability (CWE-79) affecting GiveWP versions up to and including 4.14.5. The vulnerability stems from improper neutralization of user-controlled input during dynamic web page generation, allowing an attacker to inject arbitrary JavaScript that executes in the victim's browser within the security context of the affected domain. DOM-based XSS differs from stored and reflected XSS in that the vulnerable code path exists entirely on the client side—the malicious payload manipulates the DOM without necessarily being reflected in the HTTP response. The attack requires user interaction (clicking a link or visiting a page containing the exploit), and the resulting session can affect other users or resources depending on the victim's permissions and the scope of the vulnerable component.
Business impact
For organizations running GiveWP for donation processing, membership management, or fundraising campaigns, this vulnerability creates a significant trust and compliance risk. Compromised visitor sessions could lead to fraudulent donations, data exfiltration (personal or payment information), or malware distribution to site visitors. If the vulnerability affects authenticated administrative contexts, attackers could modify donation settings, access sensitive donor information, or escalate privileges. The reputational damage from a publicly exploited XSS on a fundraising platform is substantial, as donors expect secure handling of personal and financial data. Organizations may face increased liability and regulatory scrutiny, particularly under PCI DSS (if payment data is involved) or privacy regulations like GDPR.
Affected systems
GiveWP versions 4.14.5 and earlier are vulnerable. Any WordPress installation with an affected version of the GiveWP plugin is at risk if the vulnerable code path is reachable by unauthenticated users or if an attacker can socially engineer a user into clicking a malicious link. The vulnerability does not appear to require special privileges to trigger, making it broadly exploitable across different deployment scenarios. Organizations should inventory all WordPress sites running GiveWP and determine the installed version to prioritize remediation.
Exploitability
This vulnerability is rated HIGH (CVSS 7.1) due to its network accessibility (no special network requirements), low attack complexity, lack of privilege requirements, and the minimal user interaction needed (a click). While the attack requires a user to interact with a crafted link, that is a low bar in phishing or social engineering contexts. The DOM-based nature means there is no server-side log trail of the attack vector itself, making detection more difficult. The attack can be weaponized in phishing emails, malicious advertisements, or compromised third-party sites linking to vulnerable GiveWP instances. Active exploitation is plausible given the simplicity of DOM-based XSS payloads.
Remediation
Organizations must update GiveWP to a patched version released after 4.14.5. Verify the specific patched version number and release notes from the official StellarWP/Liquid Web security advisories or the GiveWP plugin repository on WordPress.org. In the interim, apply Web Application Firewall (WAF) rules to detect and block common DOM-based XSS payloads targeting the known vulnerable parameter or endpoint. Consider disabling or restricting public access to GiveWP functionality if possible during the patching window. Review access logs for signs of exploitation attempts.
Patch guidance
Check the official GiveWP plugin page and StellarWP security advisories for the earliest patched version following 4.14.5. WordPress site administrators can update directly through the WordPress admin dashboard or via command line using WP-CLI. Before deploying to production, test the patched version in a staging environment to ensure compatibility with custom integrations, payment gateways, and other plugins. Monitor the site for functionality regressions post-update. If automatic updates are disabled, prioritize manual patching within 48–72 hours of patch availability.
Detection guidance
Monitor web server access logs for unusual query parameters or encoded payloads (e.g., excess %3C, %3E, or script-like strings) targeting GiveWP endpoints. Implement endpoint monitoring on the vulnerable code path if it can be identified from vendor advisories. Deploy client-side XSS detection tools (Content Security Policy headers) to log and block inline script execution. Check for signs of session hijacking or unauthorized account activity in donation records or user logs. Search site source code and JavaScript files for DOM manipulation functions (innerHTML, eval, document.write) that may not properly sanitize user input. If available, enable and review security logs from any WordPress security plugins (e.g., Wordfence, Sucuri).
Why prioritize this
Despite not being listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the advisory date, this vulnerability should be treated as high-priority due to its ease of exploitation, network accessibility, and direct impact on user trust and data security. The lack of KEV status does not indicate low risk—it reflects the timing of disclosure and exploitation tracking, not vulnerability severity. Organizations handling donations or personal data through GiveWP should prioritize this over lower-scoring flaws. The DOM-based nature and reliance on user interaction may have delayed widespread automation of public exploits, but that window closes quickly.
Risk score, explained
The CVSS 3.1 score of 7.1 (HIGH) reflects: Attack Vector Network (AV:N) – remotely exploitable with no special network access; Attack Complexity Low (AC:L) – no special conditions needed to exploit; Privileges Required None (PR:N) – unauthenticated attackers can trigger it; User Interaction Required (UI:R) – the user must click a link, a realistic social engineering vector; Scope Changed (S:C) – the vulnerability can affect resources beyond the vulnerable component; Confidentiality, Integrity, and Availability all Low (C:L/I:L/A:L) – the attacker can read, modify, or degrade functionality but not at scale or permanently. The score appropriately captures the balance between ease of exploitation and the severity of potential impact in a real-world fundraising context.
Frequently asked questions
Does this vulnerability require authentication to exploit?
No. The DOM-based XSS can be triggered by unauthenticated users, making it broadly exploitable. However, the actual impact (what data or actions the attacker can access) depends on the privileges of the user who clicks the malicious link.
Is this vulnerability currently being exploited in the wild?
As of the advisory date, this vulnerability is not listed on CISA's KEV catalog, suggesting no publicly documented active exploitation. However, the simplicity of DOM-based XSS attacks means exploit code can be developed quickly once the vulnerability is disclosed. Organizations should not delay patching based on KEV status.
Can this vulnerability steal donations or payment information directly?
This vulnerability enables script injection into a user's browser session, which could be used to redirect payments, modify donation amounts, or capture credentials entered on the page. It does not directly breach backend databases, but it can facilitate credential theft or session hijacking that leads to unauthorized access.
What is the difference between this DOM-based XSS and other XSS types?
Stored XSS persists in the database; reflected XSS appears in the HTTP response. DOM-based XSS manipulates the page structure entirely on the client side using JavaScript, without necessarily involving the server. This makes it harder to detect via traditional server-side logging and scanning tools.
This analysis is provided for informational purposes and represents our assessment based on the publicly available vulnerability disclosure and CVSS score as of the advisory date. Patch version numbers and vendor guidance should be verified directly against official StellarWP and GiveWP security advisories. The absence of a CVE from CISA's KEV catalog does not indicate low risk or lack of exploitability. Organizations should conduct their own risk assessment based on their deployment, user base, and data sensitivity. No liability is assumed for patching decisions or outcomes resulting from this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-24752HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)