Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Stored XSS typically needs an authenticated submission path (PR:L) and victim page-load (UI:R); scope changes to the browser (S:C) with low C/I impact and no real availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codemenschen Gift Vouchers gift-voucher allows Stored XSS.This issue affects Gift Vouchers: from n/a through <= 4.7.0.
AnalysisAI
Stored cross-site scripting in the Codemenschen 'Gift Vouchers' WordPress plugin (all versions up to and including 4.7.0) lets an attacker persist malicious script into plugin-managed content that later executes in the browser of any user who views the affected page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network-reachable, low-complexity injection with a scope change and required victim interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that attacker-controlled input reach a Gift Vouchers plugin field that is stored and later rendered into an HTML page (a stored XSS sink such as a voucher creation, redemption, or order form), and it requires victim interaction (UI:R) - a user or administrator must load the page that displays the poisoned data for the payload to fire. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward moderate real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a gift-voucher field or form value containing a JavaScript payload, which the plugin stores without sanitization. When an administrator or customer later opens the page that renders that value, the script executes in their browser session, enabling session/cookie theft, admin-panel actions on their behalf, or redirection. … |
| Remediation | No vendor-released patched version is identified in the available data - the advisory records affected versions through <= 4.7.0 without naming a fixed release, so the primary action is to monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/gift-voucher/vulnerability/wordpress-gift-vouchers-plugin-4-7-0-cross-site-scripting-xss-vulnerability) and the WordPress.org plugin page and upgrade to a release later than 4.7.0 as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all WordPress installations running Codemenschen Gift Vouchers version 4.7.0 or earlier and audit existing voucher content for suspicious script injection. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Gift Vouchers
View allThe Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL in
The Gift Vouchers plugin through 2.0.1 for WordPress allows SQL Injection via the template_id parameter in a wp-admin/ad
Missing authorization controls in the Codemenschen Gift Vouchers WordPress plugin (versions through 4.6.9) allow unauthe
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43342