Skip to main content

GIFT4U Plugin CVE-2026-57324

| EUVDEUVD-2026-39736 MEDIUM
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-qcv7-9h48-x73r
6.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable with no credentials or interaction required; impact limited to integrity and availability within the plugin's own scope, with no confidentiality exposure.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:18 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in GIFT4U <= 1.0.10 versions.

AnalysisAI

Broken access control in the GIFT4U WordPress plugin (versions ≤ 1.0.10) exposes unauthenticated endpoints that allow remote attackers to perform unauthorized operations against WooCommerce gift card functionality. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials, no user interaction, and no special configuration beyond plugin installation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target WordPress/WooCommerce site
Delivery
Confirm GIFT4U plugin presence via plugin path or response fingerprint
Exploit
Craft HTTP request to unprotected plugin endpoint
Execution
Submit request without credentials or nonce
Persist
Missing authorization check passes
Impact
Manipulate gift card data or degrade store availability

Vulnerability AssessmentAI

Exploitation No special conditions are required beyond the target WordPress site having the GIFT4U plugin (version ≤ 1.0.10) installed and active - the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote unauthenticated exploitation against default plugin configurations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 Medium score reflects a network-exploitable (AV:N), low-complexity (AC:L) flaw requiring no privileges (PR:N) and no user interaction (UI:N), yielding low integrity and low availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP POST request directly to an unprotected GIFT4U plugin endpoint (such as a WordPress AJAX action) without any session cookie or nonce. Because the plugin performs no authorization check, the request is processed as if it came from a privileged user, allowing the attacker to create, modify, or delete gift card records or trigger actions that degrade WooCommerce store availability.
Remediation No patched version number is specified in the available intelligence data - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/gift4u-gift-cards-all-in-one-for-woo/vulnerability/wordpress-gift4u-plugin-1-0-10-broken-access-control-vulnerability should be checked for a confirmed fix release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy