Skip to main content

Gift Vouchers

4 CVEs product

Monthly

CVE-2026-57415 HIGH This Week

Stored cross-site scripting in the Codemenschen 'Gift Vouchers' WordPress plugin (all versions up to and including 4.7.0) lets an attacker persist malicious script into plugin-managed content that later executes in the browser of any user who views the affected page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network-reachable, low-complexity injection with a scope change and required victim interaction. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Gift Vouchers
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57412 MEDIUM This Month

Missing authorization controls in the Codemenschen Gift Vouchers WordPress plugin (versions through 4.6.9) allow unauthenticated remote attackers to perform unauthorized actions against voucher-related functionality, resulting in low-severity integrity and availability impact. The flaw stems from CWE-862 (Missing Authorization), meaning the plugin fails to verify whether a requesting user has rights to access specific functionality - effectively treating restricted endpoints as publicly accessible. No public exploit or CISA KEV listing is identified at time of analysis, but the unauthenticated attack vector (PR:N, AV:N) lowers the bar for opportunistic exploitation significantly.

Authentication Bypass Gift Vouchers
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2023-28662 CRITICAL POC THREAT Act Now

The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Gift Vouchers
NVD
CVSS 3.1
9.8
EPSS
42.2%
CVE-2018-16159 CRITICAL POC THREAT Act Now

The Gift Vouchers plugin through 2.0.1 for WordPress allows SQL Injection via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress PHP Gift Vouchers
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
49.9%
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the Codemenschen 'Gift Vouchers' WordPress plugin (all versions up to and including 4.7.0) lets an attacker persist malicious script into plugin-managed content that later executes in the browser of any user who views the affected page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network-reachable, low-complexity injection with a scope change and required victim interaction. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Gift Vouchers
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization controls in the Codemenschen Gift Vouchers WordPress plugin (versions through 4.6.9) allow unauthenticated remote attackers to perform unauthorized actions against voucher-related functionality, resulting in low-severity integrity and availability impact. The flaw stems from CWE-862 (Missing Authorization), meaning the plugin fails to verify whether a requesting user has rights to access specific functionality - effectively treating restricted endpoints as publicly accessible. No public exploit or CISA KEV listing is identified at time of analysis, but the unauthenticated attack vector (PR:N, AV:N) lowers the bar for opportunistic exploitation significantly.

Authentication Bypass Gift Vouchers
NVD
EPSS 42% CVSS 9.8
CRITICAL POC THREAT Act Now

The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Gift Vouchers
NVD
EPSS 50% CVSS 9.8
CRITICAL POC THREAT Act Now

The Gift Vouchers plugin through 2.0.1 for WordPress allows SQL Injection via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress PHP +1
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy