Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPSwings WooCommerce Ultimate Gift Card woocommerce-ultimate-gift-card allows Blind SQL Injection.This issue affects WooCommerce Ultimate Gift Card: from n/a through <= 2.9.6.
Published: 2025-09-09
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper input sanitization in the WPSwings WooCommerce Ultimate Gift Card plugin allows attackers to execute arbitrary SQL commands against the database. The vulnerability is a blind SQL injection, meaning the attacker may not receive immediate feedback but can infer data through response timing or other side‑channels. If exploited, an attacker could read, modify, or delete sensitive data such as customer orders, payment information, or store configuration, and potentially gain persistent access to the site’s backend. The weakness is identified as CWE-89, which indicates lack of proper SQL query handling.

Affected Systems

All installations of the WPSwings WooCommerce Ultimate Gift Card plugin version 2.9.6 or earlier are affected. The plugin is commonly used on WordPress sites to manage gift card functionality. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity with high impact and ease of exploitation. The EPSS score of less than 1% suggests the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to target the plugin’s input endpoints, likely via crafted requests that trigger hidden SQL statements. Because the vulnerability is blind, detection requires monitoring for abnormal responses or traffic patterns. Overall, the risk remains high due to the potential for full database compromise, but current exploitation probability is low.

Generated by OpenCVE AI on April 30, 2026 at 07:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WooCommerce Ultimate Gift Card plugin to version 2.9.7 or later where the blind SQL injection is fixed.
  • If an immediate upgrade is not possible, disable or uninstall the plugin to remove the attack surface.
  • In the meantime, employ Web Application Firewall rules to block suspicious SQL patterns and ensure database input is properly escaped using prepared statements, addressing CWE-89 conditions.

Generated by OpenCVE AI on April 30, 2026 at 07:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27441 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPSwings WooCommerce Ultimate Gift Card - Create, Sell and Manage Gift Cards with Customized Email Templates. This issue affects WooCommerce Ultimate Gift Card - Create, Sell and Manage Gift Cards with Customized Email Templates: from n/a through 2.8.10.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPSwings WooCommerce Ultimate Gift Card - Create, Sell and Manage Gift Cards with Customized Email Templates. This issue affects WooCommerce Ultimate Gift Card - Create, Sell and Manage Gift Cards with Customized Email Templates: from n/a through 2.8.10. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPSwings WooCommerce Ultimate Gift Card woocommerce-ultimate-gift-card allows Blind SQL Injection.This issue affects WooCommerce Ultimate Gift Card: from n/a through <= 2.9.6.
Title WordPress WooCommerce Ultimate Gift Card plugin <= 2.8.10 - SQL Injection vulnerability WordPress WooCommerce Ultimate Gift Card plugin <= 2.9.6 - SQL Injection vulnerability
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Tue, 09 Sep 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce gift Cards
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Wpswings
Wpswings ultimate Gift Cards For Woocommerce
Vendors & Products Woocommerce
Woocommerce gift Cards
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Wpswings
Wpswings ultimate Gift Cards For Woocommerce

Tue, 09 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPSwings WooCommerce Ultimate Gift Card - Create, Sell and Manage Gift Cards with Customized Email Templates. This issue affects WooCommerce Ultimate Gift Card - Create, Sell and Manage Gift Cards with Customized Email Templates: from n/a through 2.8.10.
Title WordPress WooCommerce Ultimate Gift Card plugin <= 2.8.10 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Woocommerce Gift Cards Woocommerce
Wordpress Wordpress
Wpswings Ultimate Gift Cards For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:45.018Z

Reserved: 2025-05-07T09:55:20.908Z

Link: CVE-2025-47569

cve-icon Vulnrichment

Updated: 2025-09-09T17:50:06.627Z

cve-icon NVD

Status : Deferred

Published: 2025-09-09T17:15:46.087

Modified: 2026-04-23T15:30:30.320

Link: CVE-2025-47569

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:15:31Z

Weaknesses