Skip to main content

Gift Vouchers CVE-2026-57415

| EUVDEUVD-2026-43342 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Stored XSS typically needs an authenticated submission path (PR:L) and victim page-load (UI:R); scope changes to the browser (S:C) with low C/I impact and no real availability effect.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:55 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codemenschen Gift Vouchers gift-voucher allows Stored XSS.This issue affects Gift Vouchers: from n/a through <= 4.7.0.

AnalysisAI

Stored cross-site scripting in the Codemenschen 'Gift Vouchers' WordPress plugin (all versions up to and including 4.7.0) lets an attacker persist malicious script into plugin-managed content that later executes in the browser of any user who views the affected page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network-reachable, low-complexity injection with a scope change and required victim interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate Gift Vouchers submission form
Delivery
Inject stored XSS payload into voucher field
Exploit
Payload persisted in WordPress database
Execution
Victim loads rendering page
Persist
Script executes in victim browser
Impact
Hijack session or perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires that attacker-controlled input reach a Gift Vouchers plugin field that is stored and later rendered into an HTML page (a stored XSS sink such as a voucher creation, redemption, or order form), and it requires victim interaction (UI:R) - a user or administrator must load the page that displays the poisoned data for the payload to fire. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward moderate real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a gift-voucher field or form value containing a JavaScript payload, which the plugin stores without sanitization. When an administrator or customer later opens the page that renders that value, the script executes in their browser session, enabling session/cookie theft, admin-panel actions on their behalf, or redirection. …
Remediation No vendor-released patched version is identified in the available data - the advisory records affected versions through <= 4.7.0 without naming a fixed release, so the primary action is to monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/gift-voucher/vulnerability/wordpress-gift-vouchers-plugin-4-7-0-cross-site-scripting-xss-vulnerability) and the WordPress.org plugin page and upgrade to a release later than 4.7.0 as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all WordPress installations running Codemenschen Gift Vouchers version 4.7.0 or earlier and audit existing voucher content for suspicious script injection. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57415 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy