PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42678 Liquid Web / StellarWP CVE debrief

PatchSiren defensive debrief for CVE-2026-42678 — DOM-Based Cross-Site Scripting (XSS) in GiveWP WordPress plugin.

Vendor
Liquid Web / StellarWP
Product
GiveWP
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations running WordPress sites with the GiveWP donation plugin, especially those exposing donation forms or administrative interfaces to untrusted users. Security teams managing WordPress plugin inventories and vulnerability lifecycle programs.

Technical summary

CVE-2026-42678 is a DOM-Based Cross-Site Scripting (XSS) vulnerability (CWE-79) in the GiveWP WordPress plugin, maintained by Liquid Web / StellarWP. The flaw exists in versions from n/a through 4.14.5. With a CVSS 3.1 score of 7.1 (HIGH), the attack vector is network-accessible, requires low attack complexity, no privileges, and user interaction; the scope is changed, with low impacts to confidentiality, integrity, and availability. DOM-based XSS typically arises when attacker-controllable input is processed by client-side JavaScript and unsafely written to the DOM, enabling script execution in the victim's browser context. Organizations using GiveWP should prioritize patching and deploy defense-in-depth controls including CSP and WAF protections.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade GiveWP to a version newer than 4.14.5 if a patched release is available from the vendor.
  • Apply principle of least privilege; review and restrict administrative access to WordPress plugin management interfaces.
  • Implement Content Security Policy (CSP) headers and other browser-level mitigations to reduce impact of DOM-based XSS flaws.
  • Review web application firewall (WAF) rules for DOM-based XSS patterns targeting donation-form and admin interfaces in GiveWP.
  • Monitor for unauthorized plugin modifications or unexpected script injection in pages rendering GiveWP shortcodes or blocks.

Evidence notes

CVE published 2026-06-01 at 17:17 UTC and modified same day at 17:57 UTC. NVD status is Deferred. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. Weakness: CWE-79. Affected versions: GiveWP through 4.14.5. Vendor attribution is low-confidence (unknown-vendor) based on reference-domain candidate evidence from Patchstack; Liquid Web / StellarWP is named in the CVE description as the maintainer of GiveWP. No KEV entry. No known ransomware campaign use.

Official resources

2026-06-01