CVE Catalog

CVE-2026-13246

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

The GiveWP plugin for WordPress up to 4.16.0 is vulnerable to stored XSS via the 'givewp_campaign_comments' shortcode attributes. Authenticated attackers with author-level access can inject arbitrary scripts that execute on every page visit.

Risk Assessment

Risk includes session hijacking, data theft, or malware propagation on the site, potentially harming organizational reputation and donor data.

Recommendation

Immediately update the GiveWP plugin to version 4.16.1 or later and restrict author-level permissions to the minimum necessary.

Original NVD description (English source)

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_id' (and other) shortcode attributes of the 'givewp_campaign_comments' shortcode in versions up to, and including, 4.16.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render(), where the blockId value is interpolated directly into a single-quoted HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS