Gift Vouchers
Monthly
Stored cross-site scripting in the Codemenschen 'Gift Vouchers' WordPress plugin (all versions up to and including 4.7.0) lets an attacker persist malicious script into plugin-managed content that later executes in the browser of any user who views the affected page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network-reachable, low-complexity injection with a scope change and required victim interaction. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Missing authorization controls in the Codemenschen Gift Vouchers WordPress plugin (versions through 4.6.9) allow unauthenticated remote attackers to perform unauthorized actions against voucher-related functionality, resulting in low-severity integrity and availability impact. The flaw stems from CWE-862 (Missing Authorization), meaning the plugin fails to verify whether a requesting user has rights to access specific functionality - effectively treating restricted endpoints as publicly accessible. No public exploit or CISA KEV listing is identified at time of analysis, but the unauthenticated attack vector (PR:N, AV:N) lowers the bar for opportunistic exploitation significantly.
The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Gift Vouchers plugin through 2.0.1 for WordPress allows SQL Injection via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stored cross-site scripting in the Codemenschen 'Gift Vouchers' WordPress plugin (all versions up to and including 4.7.0) lets an attacker persist malicious script into plugin-managed content that later executes in the browser of any user who views the affected page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network-reachable, low-complexity injection with a scope change and required victim interaction. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Missing authorization controls in the Codemenschen Gift Vouchers WordPress plugin (versions through 4.6.9) allow unauthenticated remote attackers to perform unauthorized actions against voucher-related functionality, resulting in low-severity integrity and availability impact. The flaw stems from CWE-862 (Missing Authorization), meaning the plugin fails to verify whether a requesting user has rights to access specific functionality - effectively treating restricted endpoints as publicly accessible. No public exploit or CISA KEV listing is identified at time of analysis, but the unauthenticated attack vector (PR:N, AV:N) lowers the bar for opportunistic exploitation significantly.
The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Gift Vouchers plugin through 2.0.1 for WordPress allows SQL Injection via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.