PT-2026-60402 · WordPress · Givewp

Amonra

+4

·

Published

2026-07-16

·

Updated

2026-07-16

·

CVE-2026-14987

CVSS v3.1

6.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions GiveWP – Donation Plugin and Fundraising Platform versions prior to 4.16.4
Description Insufficient input sanitization and output escaping allow authenticated attackers with give worker-level access and above to perform Stored Cross-Site Scripting. The issue occurs when the twitter message Sequoia Template Setting is used, allowing the injection of arbitrary web scripts. These scripts execute when a donor clicks the Share on Twitter button on the Sequoia donation confirmation view, as the unescaped twitter message value is evaluated within a JavaScript template literal.
Recommendations Update GiveWP – Donation Plugin and Fundraising Platform to version 4.16.4 or later.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-14987

Affected Products

Givewp