CVE Catalog

CVE-2026-13704

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

14th percentile — higher than 14% of all known CVEs

Summary

The GiveWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in versions up to and including 4.16.1 due to insufficient input sanitization and output escaping.

Risk Assessment

An authenticated attacker with Give Worker-level access or higher can inject arbitrary scripts that execute whenever a user visits an affected page, potentially leading to session hijacking, defacement, or admin account takeover.

Recommendation

Update the GiveWP plugin to version 4.16.2 or later immediately. Restrict user privileges to the minimum necessary and regularly audit access roles.

Original NVD description (English source)

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in all versions up to, and including, 4.16.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Give Worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS