The Gift Message for WooCommerce plugin suffers a Cross‑Site Request Forgery (CSRF) flaw, which allows an attacker to cause a logged‑in user to submit a request that manipulates gift message data. The weakness enables an attacker to perform actions that normally require user consent, such as adding, editing, or deleting gift messages, without the victim’s knowledge. This flaw is classified as CWE‑352 and has a CVSS score of 4.3, indicating moderate potential impact if exploited. Based on the description, the attack vector is inferred to involve a malicious link that causes the authenticated user to submit a request to the plugin’s endpoint.

The vulnerability affects installations of the powerfulwp Gift Message for WooCommerce plugin up to and including version 1.7.8. No specific operating system or WordPress core version is mentioned, but any site running a susceptible plugin version is at risk.

The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is currently not listed in the CISA KEV catalog. Attackers would need a victim to be logged into the WordPress site and to open a malicious URL that triggers the plugin’s gift message processing logic. No additional conditions are required beyond the presence of a valid user session. The description indicates that the attack vector is inferred and may involve a malicious link or form submission targeting the plugin endpoint.