Skip to main content

Gift Vouchers EUVDEUVD-2026-43484

| CVE-2026-57412 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-accessible unauthenticated endpoint with no complexity; scope unchanged; no confidentiality impact; low integrity and availability impact consistent with voucher manipulation.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:24 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Codemenschen Gift Vouchers gift-voucher allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gift Vouchers: from n/a through <= 4.6.9.

AnalysisAI

Missing authorization controls in the Codemenschen Gift Vouchers WordPress plugin (versions through 4.6.9) allow unauthenticated remote attackers to perform unauthorized actions against voucher-related functionality, resulting in low-severity integrity and availability impact. The flaw stems from CWE-862 (Missing Authorization), meaning the plugin fails to verify whether a requesting user has rights to access specific functionality - effectively treating restricted endpoints as publicly accessible. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate WordPress plugins on target site
Delivery
Confirm Gift Vouchers ≤ 4.6.9 installed and active
Exploit
Send unauthenticated HTTP request to unprotected plugin endpoint
Execution
Bypass missing authorization check
Impact
Manipulate or disrupt gift voucher data

Vulnerability AssessmentAI

Exploitation Exploitation requires no authentication (CVSS PR:N) and no user interaction (UI:N) against a network-accessible WordPress installation (AV:N/AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The assigned CVSS 6.5 Medium score is consistent with the attack profile: network-accessible, no authentication required, low complexity, but bounded to low integrity and availability impact with no confidentiality loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress site running Gift Vouchers ≤ 4.6.9 - trivially detectable via plugin enumeration or HTTP response headers - then sends a crafted HTTP request directly to the vulnerable plugin endpoint without any credentials. The missing authorization check allows the request to succeed, enabling the attacker to modify or disrupt gift voucher records (e.g., invalidating vouchers, altering discount values, or creating unauthorized entries). …
Remediation The primary remediation is to update the Gift Vouchers plugin to the version released after 4.6.9; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/gift-voucher/vulnerability/wordpress-gift-vouchers-plugin-4-6-9-broken-access-control-vulnerability and the WordPress plugin repository changelog to identify the exact patched release - a specific fixed version number is not confirmed in the current intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43484 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy