Impact
The Gift Certificate Creator plugin for WordPress is vulnerable to reflected cross‑site scripting through the receip_address parameter. Because the plugin does not sanitize or escape user input, an attacker can embed arbitrary JavaScript. When a user clicks a crafted link that includes the malicious parameter, the script is executed in the context of the victim’s browser, allowing attackers to steal session cookies, redirect users, or perform other malicious actions that compromise confidentiality and integrity. The flaw allows unauthenticated actors to inject code without needing elevated privileges.
Affected Systems
All installations of the Gift Certificate Creator WordPress plugin up to and including version 1.1.0 are affected. The plugin can be identified by the vendor product name bobcares_plugins:Gift Certificate Creator.
Risk and Exploitability
The CVSS score of 6.1 indicates a moderate severity, while the EPSS score of less than 1 % suggests a low likelihood of exploitation in the near term. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a user to interact with a crafted URL containing the receip_address parameter, making it a user‑interaction‑dependent, reflected XSS attack.
OpenCVE Enrichment
EUVD