Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Stored XSS in a WordPress plugin typically needs a low-privileged authenticated role to persist the payload (PR:L) and a victim to view it (UI:R); scope changes to the browser (S:C) with limited C/I and no real availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Flintop Free Gifts for WooCommerce free-gifts-for-woocommerce allows Stored XSS.This issue affects Free Gifts for WooCommerce: from n/a through <= 13.1.0.
Articles & Coverage 1
AnalysisAI
Stored cross-site scripting in the Flintop "Free Gifts for WooCommerce" WordPress plugin (all versions through 13.1.0) lets an attacker inject persistent JavaScript that executes in the browser of anyone viewing the affected page. Reported by Patchstack and tracked as CWE-79, it carries a CVSS 7.1 score driven by a changed scope (S:C), and has no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the Free Gifts for WooCommerce plugin (version ≤ 13.1.0) to be installed and active on a WooCommerce site, and the attacker must get a malicious payload into the specific plugin field that is rendered without encoding. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, 7.1) describes a network-reachable, low-complexity issue with no privileges but required user interaction, and a scope change reflecting that script executes in a victim's browser context rather than the vulnerable app alone. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits crafted input containing a JavaScript payload into a plugin-controlled field that is stored and later rendered without sanitization; when an administrator or shopper subsequently loads the affected page, the script runs in their browser session. This could hijack an authenticated admin session, alter store content, or redirect customers. … |
| Remediation | No fixed version is stated in the available data - the affected range runs "through <= 13.1.0" with no confirmed patched release, so treat this as No vendor-released patch identified at time of analysis and monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/free-gifts-for-woocommerce/vulnerability/wordpress-free-gifts-for-woocommerce-plugin-13-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve) and the plugin's WordPress.org page for a release above 13.1.0, applying it as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all production WordPress installations to identify whether the Flintop plugin is deployed and document affected sites; contact the vendor directly for patch timeline and guidance. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43469