Skip to main content

Free Gifts for WooCommerce CVE-2026-57396

| EUVDEUVD-2026-43469 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Stored XSS in a WordPress plugin typically needs a low-privileged authenticated role to persist the payload (PR:L) and a victim to view it (UI:R); scope changes to the browser (S:C) with limited C/I and no real availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:00 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Flintop Free Gifts for WooCommerce free-gifts-for-woocommerce allows Stored XSS.This issue affects Free Gifts for WooCommerce: from n/a through <= 13.1.0.

AnalysisAI

Stored cross-site scripting in the Flintop "Free Gifts for WooCommerce" WordPress plugin (all versions through 13.1.0) lets an attacker inject persistent JavaScript that executes in the browser of anyone viewing the affected page. Reported by Patchstack and tracked as CWE-79, it carries a CVSS 7.1 score driven by a changed scope (S:C), and has no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access plugin input field
Delivery
Inject malicious script payload
Exploit
Payload stored in database
Execution
Victim loads affected page
Persist
Script executes in victim browser
Impact
Session hijack or content manipulation

Vulnerability AssessmentAI

Exploitation Exploitation requires the Free Gifts for WooCommerce plugin (version ≤ 13.1.0) to be installed and active on a WooCommerce site, and the attacker must get a malicious payload into the specific plugin field that is rendered without encoding. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, 7.1) describes a network-reachable, low-complexity issue with no privileges but required user interaction, and a scope change reflecting that script executes in a victim's browser context rather than the vulnerable app alone. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits crafted input containing a JavaScript payload into a plugin-controlled field that is stored and later rendered without sanitization; when an administrator or shopper subsequently loads the affected page, the script runs in their browser session. This could hijack an authenticated admin session, alter store content, or redirect customers. …
Remediation No fixed version is stated in the available data - the affected range runs "through <= 13.1.0" with no confirmed patched release, so treat this as No vendor-released patch identified at time of analysis and monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/free-gifts-for-woocommerce/vulnerability/wordpress-free-gifts-for-woocommerce-plugin-13-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve) and the plugin's WordPress.org page for a release above 13.1.0, applying it as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all production WordPress installations to identify whether the Flintop plugin is deployed and document affected sites; contact the vendor directly for patch timeline and guidance. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57396 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy