CVE-2026-34900

Vulnerability

The GiveWP plugin for WordPress versions 4.14.2 and earlier is vulnerable to an unauthenticated reflected Cross Site Scripting (XSS) attack. The vulnerability arises due to improper sanitization of user-supplied input in a specific parameter, which is reflected back to the user without proper encoding. [1]

Exploitation

An attacker can craft a malicious URL containing the XSS payload and trick a privileged user (e.g., administrator) into clicking it. No authentication is required to trigger the vulnerability, but successful exploitation depends on user interaction, such as clicking a link or visiting a crafted page. [1]

Impact

If exploited, the attacker's script executes in the context of the victim's browser session. This can lead to sensitive data exposure, session hijacking, redirection to malicious sites, or injection of unauthorized content. The potential impact is moderate due to the need for user interaction. [1]

Mitigation

Update to GiveWP version 4.14.3 or later, which resolves the vulnerability. If immediate update is not possible, apply a virtual patch or mitigation rule from security services like Patchstack. No workaround other than updating has been provided. [1]