GiveWP
Security
- Added additional escaping and sanitization to the Sequoia (Multi-Step Form) template settings and donation form markup (CVE-2026-13704).
Security
- Standardized email access confirmation AJAX responses to prevent distinguishable server responses.
- Added additional escaping and sanitization to the Campaign Comments block and shortcode attributes (CVE-2026-13246).
Features
- Added an optional donation ID parameter to gateway webhook event handlers, allowing gateways to locate donations when the transaction ID is only available in the webhook payload.
Fixes
- Resolved an issue where multi-step donation forms could be incorrectly rejected as spam because Akismet was checked on every form step; the spam check now runs once on final submission.
Security
- Improved the security of the Donor Dashboard login process.
Security
- Added additional protection to the email notification settings.
Fixes
- Resolved a user role permission conflict with The Events Calendar Pro
- Resolved an issue when using multiple Stripe accounts, recurring donations, and webhook API 2026-02-25.clover
Tweaks
- Update Harbor to 1.2.0, removing the Liquid Web Products page when there are no premium plugins present.
Tweaks
- Moved the Liquid Web menu item to Settings -> Liquid Web Products.
- The Settings -> Liquid Web Products page now requires a opt-in to communicate with external servers.
Features
- Integrate with Nexcess Licensing and Portal.
Tweaks
- Updated branding references from StellarWP to Nexcess.
Fixes
- Resolved issue with separator style for title on donation-form thanks message.
Security
- Added additional sanitization to the Donation Form.
- Added additional access control checks to the REST API.
