How is CVE-2026-42678 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the target WordPress installation via standard HTTP/HTTPS. Authentication (not-required): No account or credentials are needed; the attacker can deliver the malicious payload without authenticating to the WordPress site. Victim interaction (required): A victim must follow a crafted link or visit an attacker-controlled page that triggers the DOM-based XSS payload in their browser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-42678?

Reads session cookies or authentication tokens stored in the browser, enabling account hijacking for the affected victim. Injects and executes attacker-controlled JavaScript in the victim's browser session, modifying visible page content including donation forms and trust indicators. Performs actions on the WordPress site on behalf of the victim using their active session, such as submitting forms or altering settings the victim has access to. Disrupts the rendering and behavior of the affected page for the victim, degrading the functionality of the GiveWP donation interface.

Back to search

HIGHCVE-2026-42678Published 2026-06-01Modified 2026-06-01CNA Patchstack

CVE-2026-42678: WordPress GiveWP plugin <= 4.14.5 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-42678?

A DOM-based cross-site scripting (XSS) vulnerability exists in the GiveWP WordPress plugin, versions 4.14.5 and earlier, developed by Liquid Web / StellarWP. The vulnerability is reachable over the network without any authentication, but requires a victim to interact with a crafted link or page. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser context, enabling session theft, page content manipulation, and disruption of the affected page's functionality. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

Q: Is CVE-2026-42678 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released by Liquid Web / StellarWP. In the interim, compensating controls such as network policy restrictions and WAF rule deployment can be tracked through the HarborGuard advisory monitor for this CVE.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liquid Web / StellarWP GiveWP allows DOM-Based XSS. This issue affects GiveWP: from n/a through 4.14.5.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A DOM-based cross-site scripting (XSS) vulnerability exists in the GiveWP WordPress plugin, versions 4.14.5 and earlier, developed by Liquid Web / StellarWP. The vulnerability is reachable over the network without any authentication, but requires a victim to interact with a crafted link or page. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser context, enabling session theft, page content manipulation, and disruption of the affected page's functionality. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-42678 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle the GiveWP plugin.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.1 HIGH (CVSS v3.1) and weighting it against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available as part of the standard pipeline.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released by Liquid Web / StellarWP. In the interim, compensating controls such as network policy restrictions and WAF rule deployment can be tracked through the HarborGuard advisory monitor for this CVE.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the target WordPress installation via standard HTTP/HTTPS.
AuthenticationNot required
No account or credentials are needed; the attacker can deliver the malicious payload without authenticating to the WordPress site.
Victim interactionRequired
A victim must follow a crafted link or visit an attacker-controlled page that triggers the DOM-based XSS payload in their browser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Reads session cookies or authentication tokens stored in the browser, enabling account hijacking for the affected victim.
Injects and executes attacker-controlled JavaScript in the victim's browser session, modifying visible page content including donation forms and trust indicators.
Performs actions on the WordPress site on behalf of the victim using their active session, such as submitting forms or altering settings the victim has access to.
Disrupts the rendering and behavior of the affected page for the victim, degrading the functionality of the GiveWP donation interface.

How HarborGuard Handles This

Available on HarborGuard: this CVE is ingested and matched against all images in connected registries and pipelines, including WordPress-based images that bundle GiveWP at version 4.14.5 or earlier. Because no upstream patch exists yet, HarborGuard re-evaluates the advisory on every ingest cycle and will automatically make a patched-image rebuild available, and for customers with auto-remediation enabled will open a PR against affected workloads, as soon as Liquid Web / StellarWP publishes a fix. While waiting for an upstream patch, customers can apply compensating controls: deploying a WAF rule to strip or encode the vulnerable input, restricting access to the affected endpoint via network policy, and auditing any user-facing links or redirects that pass unsanitized parameters into the DOM. These mitigations do not eliminate the vulnerability but reduce the practical attack surface until a rebuild at a fixed version becomes available.

See how HarborGuard automates this

Affected packages

Liquid Web / StellarWP / GiveWP
≤ 4.14.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified