CVE-2026-42678 Overview
CVE-2026-42678 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the GiveWP WordPress donation plugin, maintained by Liquid Web / StellarWP. The flaw stems from improper neutralization of input during web page generation [CWE-79]. All versions of GiveWP up to and including 4.14.5 are affected.
An attacker can craft a malicious link or payload that, when processed by the victim's browser, executes arbitrary JavaScript in the context of the WordPress site. Exploitation requires user interaction, such as clicking a crafted URL. Successful attacks can lead to session token theft, defacement, or redirection to attacker-controlled infrastructure.
Critical Impact
Attackers can execute arbitrary JavaScript in a victim's browser session, potentially hijacking authenticated WordPress administrator accounts on sites running GiveWP 4.14.5 or earlier.
Affected Products
- Liquid Web / StellarWP GiveWP plugin for WordPress
- All GiveWP versions from initial release through 4.14.5
- WordPress sites accepting donations via the GiveWP donation forms
Discovery Timeline
- 2026-06-01 - CVE-2026-42678 published to the National Vulnerability Database (NVD)
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-42678
Vulnerability Analysis
The vulnerability is classified as DOM-based XSS, meaning the malicious payload is processed entirely within the victim's browser through client-side JavaScript executed by the GiveWP plugin. Unlike reflected or stored XSS, the payload never needs to be returned by the server in the HTTP response body. Instead, a client-side script reads untrusted data from a source such as location.hash, location.search, or document.referrer and writes it to a sink such as innerHTML or document.write without sanitization.
The scope is marked as changed, indicating that the executed script can affect resources beyond the vulnerable component, including the parent WordPress site. Because the donation plugin is frequently embedded across multiple high-traffic pages, the attack surface extends to any visitor who follows a crafted link to a GiveWP-enabled page.
Root Cause
The root cause is missing or insufficient output encoding in client-side JavaScript shipped with GiveWP through version 4.14.5. User-controllable data is inserted into the Document Object Model (DOM) without escaping HTML or JavaScript metacharacters, allowing script execution.
Attack Vector
The attack is delivered over the network and requires user interaction. An attacker constructs a URL pointing at a GiveWP page and embeds a payload in a parameter parsed by the vulnerable client-side script. When the victim visits the URL, the browser parses the payload into executable script context within the origin of the WordPress site.
No authentication is required to deliver the payload. If the victim holds an authenticated WordPress session, the injected script inherits those privileges, enabling actions such as creating administrative users or modifying donation settings.
No public proof-of-concept exploit code has been released. Refer to the Patchstack Vulnerability Report for vendor-coordinated technical details.
Detection Methods for CVE-2026-42678
Indicators of Compromise
- Unexpected <script>, onerror=, or javascript: strings appearing in HTTP request URLs targeting GiveWP donation endpoints
- Outbound browser requests from administrator sessions to unknown domains shortly after visiting a donation page
- New, unrecognized WordPress administrator accounts or modified GiveWP gateway configuration
- Anomalous referrer headers or URL fragments containing encoded HTML in WordPress access logs
Detection Strategies
- Inspect WordPress access logs and web application firewall (WAF) telemetry for URLs containing encoded XSS primitives such as %3Cscript%3E, %3Cimg, or javascript:
- Hunt for GiveWP plugin versions less than or equal to 4.14.5 across WordPress fleets using asset inventory queries
- Correlate browser process telemetry on administrator endpoints with visits to donation pages and subsequent outbound connections
Monitoring Recommendations
- Forward WordPress and reverse-proxy logs into a centralized analytics platform and alert on XSS pattern matches against GiveWP routes
- Monitor for unauthorized changes to WordPress user accounts, roles, and plugin settings
- Enable Content Security Policy (CSP) violation reporting to surface inline script execution attempts
How to Mitigate CVE-2026-42678
Immediate Actions Required
- Upgrade GiveWP to a version newer than 4.14.5 as soon as the vendor releases a patched build
- Audit WordPress administrator accounts and recently modified GiveWP configuration for signs of tampering
- Restrict access to the WordPress admin interface using IP allow lists or VPN gating until patched
- Force password resets for all privileged users if compromise is suspected
Patch Information
GiveWP versions up to 4.14.5 are affected. Site operators should consult the Patchstack Vulnerability Report for the fixed release version and apply the update through the WordPress plugin dashboard or via WP-CLI.
Workarounds
- Deploy a WAF rule that blocks requests to GiveWP endpoints containing HTML or JavaScript metacharacters in query parameters and fragments
- Configure a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins
- Temporarily disable the GiveWP plugin on non-production environments until the patch is installed and verified
# Identify GiveWP version across a WordPress host using WP-CLI
wp plugin get give --field=version
# Update GiveWP to the latest patched release
wp plugin update give
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
