CVE-2026-13704
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
The GiveWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in versions up to and including 4.16.1 due to insufficient input sanitization and output escaping.
Risk Assessment
An authenticated attacker with Give Worker-level access or higher can inject arbitrary scripts that execute whenever a user visits an affected page, potentially leading to session hijacking, defacement, or admin account takeover.
Recommendation
Update the GiveWP plugin to version 4.16.2 or later immediately. Restrict user privileges to the minimum necessary and regularly audit access roles.
Original NVD description (English source)
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in all versions up to, and including, 4.16.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Give Worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

