Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-accessible unauthenticated endpoint with no complexity; scope unchanged; no confidentiality impact; low integrity and availability impact consistent with voucher manipulation.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Codemenschen Gift Vouchers gift-voucher allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gift Vouchers: from n/a through <= 4.6.9.
AnalysisAI
Missing authorization controls in the Codemenschen Gift Vouchers WordPress plugin (versions through 4.6.9) allow unauthenticated remote attackers to perform unauthorized actions against voucher-related functionality, resulting in low-severity integrity and availability impact. The flaw stems from CWE-862 (Missing Authorization), meaning the plugin fails to verify whether a requesting user has rights to access specific functionality - effectively treating restricted endpoints as publicly accessible. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires no authentication (CVSS PR:N) and no user interaction (UI:N) against a network-accessible WordPress installation (AV:N/AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The assigned CVSS 6.5 Medium score is consistent with the attack profile: network-accessible, no authentication required, low complexity, but bounded to low integrity and availability impact with no confidentiality loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running Gift Vouchers ≤ 4.6.9 - trivially detectable via plugin enumeration or HTTP response headers - then sends a crafted HTTP request directly to the vulnerable plugin endpoint without any credentials. The missing authorization check allows the request to succeed, enabling the attacker to modify or disrupt gift voucher records (e.g., invalidating vouchers, altering discount values, or creating unauthorized entries). … |
| Remediation | The primary remediation is to update the Gift Vouchers plugin to the version released after 4.6.9; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/gift-voucher/vulnerability/wordpress-gift-vouchers-plugin-4-6-9-broken-access-control-vulnerability and the WordPress plugin repository changelog to identify the exact patched release - a specific fixed version number is not confirmed in the current intelligence. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Gift Vouchers
View allThe Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL in
The Gift Vouchers plugin through 2.0.1 for WordPress allows SQL Injection via the template_id parameter in a wp-admin/ad
Stored cross-site scripting in the Codemenschen 'Gift Vouchers' WordPress plugin (all versions up to and including 4.7.0
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43484