How is CVE-2026-34900 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP/HTTPS from any internet-connected location. Authentication (not-required): No account or session credential is needed; the malicious request can be crafted and delivered by any unauthenticated party. Victim interaction (required): A target user must follow a crafted URL containing the injected payload, meaning the attacker must socially engineer the victim into clicking a malicious link. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special timing, or environmental prerequisites beyond delivery of the crafted link.

What is the impact of CVE-2026-34900?

Reads browser-accessible session cookies and authentication tokens belonging to the victim, potentially enabling account takeover. Injects arbitrary HTML or JavaScript into the page context, allowing the attacker to present fake forms or phishing content to the victim. Performs actions within the victim's authenticated session, such as modifying donation settings or exfiltrating donor records visible to that user. Disrupts the page rendering experience for the victim, degrading the functionality of the GiveWP donation interface.

Back to search

HIGHCVE-2026-34900Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-34900: WordPress GiveWP plugin <= 4.14.2 - Reflected Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-34900?

Reflected Cross-Site Scripting (XSS) affects the GiveWP WordPress donation plugin at version 4.14.2 and earlier. The vulnerability is reachable over the network, requires no authentication, but does require a victim to follow a crafted link, making it a social-engineering-dependent attack. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, disclosing session data, injecting content, and disrupting the page experience. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment upstream ships a remediation.

Q: Is CVE-2026-34900 patched?

Because no fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream ships a remediated release. In the interim, customers can apply compensating controls such as network-policy isolation or Web Application Firewall rules directly from the HarborGuard recommendations panel.

Unauthenticated Cross Site Scripting (XSS) in GiveWP <= 4.14.2 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Reflected Cross-Site Scripting (XSS) affects the GiveWP WordPress donation plugin at version 4.14.2 and earlier. The vulnerability is reachable over the network, requires no authentication, but does require a victim to follow a crafted link, making it a social-engineering-dependent attack. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, disclosing session data, injecting content, and disrupting the page experience. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment upstream ships a remediation.

HarborGuard Coverage

Detection

Detection for CVE-2026-34900 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream feeds including Patchstack, covering both registry-hosted and pipeline-built images. Custom images that bundle the GiveWP plugin are included in this matching automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.1 HIGH and weighting it against each customer environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer org is available as soon as a match is confirmed.

Available

Patch

Because no fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream ships a remediated release. In the interim, customers can apply compensating controls such as network-policy isolation or Web Application Firewall rules directly from the HarborGuard recommendations panel.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP/HTTPS from any internet-connected location.
AuthenticationNot required
No account or session credential is needed; the malicious request can be crafted and delivered by any unauthenticated party.
Victim interactionRequired
A target user must follow a crafted URL containing the injected payload, meaning the attacker must socially engineer the victim into clicking a malicious link.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special timing, or environmental prerequisites beyond delivery of the crafted link.

Blast Radius

Reads browser-accessible session cookies and authentication tokens belonging to the victim, potentially enabling account takeover.
Injects arbitrary HTML or JavaScript into the page context, allowing the attacker to present fake forms or phishing content to the victim.
Performs actions within the victim's authenticated session, such as modifying donation settings or exfiltrating donor records visible to that user.
Disrupts the page rendering experience for the victim, degrading the functionality of the GiveWP donation interface.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged and tracked continuously through every ingest cycle until an upstream fix is published. Because no patched version of GiveWP exists today, the automated rebuild-and-PR flow is not yet triggered, but it will activate automatically the moment a fix version is released by Liquid Web / StellarWP. While awaiting an upstream patch, HarborGuard surfaces compensating-control recommendations including Web Application Firewall rule deployment to block reflected payloads, network-policy isolation of the WordPress workload, and egress filtering to limit data exfiltration from any successfully compromised browser session. For customers with auto-remediation enabled, once a fix version ships the typical flow applies: a rebuilt image is generated, a regression test is run, and a PR is opened against affected workloads, with median time from CVE-to-merged-PR around 90 minutes for high-severity issues in those environments.

See how HarborGuard automates this

Affected packages

Liquid Web / StellarWP / GiveWP
≤ 4.14.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified