Skip to main content

VillaTheme GIFT4U CVE-2026-54809

CRITICAL
SQL Injection (CWE-89)
2026-06-17 Patchstack
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.4 CRITICAL

Remote unauthenticated SQLi in a WordPress plugin warrants AV:N/AC:L/PR:N/UI:N; I assess S:U and I:H because injection in the same wp database typically allows reads and writes without crossing a security authority.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 14:26 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme GIFT4U allows Blind SQL Injection.

This issue affects GIFT4U: from n/a through 1.0.10.

AnalysisAI

Blind SQL injection in the VillaTheme GIFT4U WordPress plugin (versions through 1.0.10) allows remote unauthenticated attackers to inject arbitrary SQL into backend queries via unsanitized user input. The CVSS 9.3 score reflects a scope-changed impact with high confidentiality loss and partial availability impact, though no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running GIFT4U
Delivery
Locate vulnerable plugin endpoint
Exploit
Send crafted SQL payload in parameter
Execution
Infer data via boolean/time responses
Impact
Exfiltrate credentials and PII

Vulnerability AssessmentAI

Exploitation Exploitation requires only that a WordPress site has the VillaTheme GIFT4U plugin installed and activated at version 1.0.10 or earlier, with the vulnerable endpoint reachable over HTTP/HTTPS - consistent with the CVSS AV:N/AC:L/PR:N/UI:N vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) describes a fully remote, unauthenticated, low-complexity attack with scope change and high confidentiality impact - a profile that normally maps to mass-scannable WordPress plugin exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans WordPress sites for the GIFT4U plugin signature, then sends crafted HTTP requests to a vulnerable gift-card lookup or redemption endpoint with boolean- or time-based SQL payloads in a parameter such as a gift code or order ID. Because the injection is blind, the attacker uses sqlmap or a custom script to enumerate wp_users password hashes, secret keys from wp_options, and customer PII over many requests. …
Remediation No vendor-released patch identified at time of analysis - the Patchstack advisory documents the issue through version 1.0.10 without naming a fixed release, so administrators should monitor https://patchstack.com/database/wordpress/plugin/gift4u-gift-cards-all-in-one-for-woo/vulnerability/wordpress-gift4u-plugin-1-0-10-sql-injection-vulnerability and VillaTheme's changelog for an update beyond 1.0.10 and apply it immediately when released. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress instances using GIFT4U v1.0.10 or earlier; immediately deactivate and remove the plugin; review database logs for suspicious SQL patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54809 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy