Description
The Ultimate Gift Cards for WooCommerce plugin for WordPress is vulnerable to boolean-based SQL Injection via the 'default_price' and 'product_id' parameters in all versions up to, and including, 3.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-06-03
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection (Database Data Theft)
Action: Apply Patch
AI Analysis

Impact

The Ultimate Gift Cards for WooCommerce plugin permits authenticated users with Administrator privilege to execute a boolean‑based SQL injection through the 'default_price' and 'product_id' parameters within the wps_wgm_save_post function. The input is insufficiently escaped and the query is not prepared, enabling attackers to append additional SQL commands that can read sensitive database content.

Affected Systems

This flaw exists in all versions of the wpswings Ultimate Gift Cards for WooCommerce plugin up to and including 3.1.4, a WordPress plugin that manages gift card functionality in WooCommerce stores.

Risk and Exploitability

With a CVSS score of 4.9 the vulnerability is moderate, and an EPSS score of less than 1% indicates low likelihood of exploitation. It is not currently listed in the CISA KEV catalog. Because exploitation requires Administrator authentication, the risk is confined to environments where such credentials are present; external adversaries lacking credentials cannot leverage the defect.

Generated by OpenCVE AI on April 21, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ultimate Gift Cards for WooCommerce to the latest available version once a patch is released.
  • Limit the number of Administrator accounts and enforce strong, unique passwords for those users.
  • Apply least‑privilege permissions to the WordPress database user, granting only the tables required by the application.

Generated by OpenCVE AI on April 21, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16711 The Ultimate Gift Cards for WooCommerce plugin for WordPress is vulnerable to boolean-based SQL Injection via the 'default_price' and 'product_id' parameters in all versions up to, and including, 3.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00034}

 epss

{'score': 0.00035}

Thu, 10 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wpswings
Wpswings ultimate Gift Cards For Woocommerce
CPEs cpe:2.3:a:wpswings:ultimate_gift_cards_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpswings
Wpswings ultimate Gift Cards For Woocommerce

Tue, 03 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Jun 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Ultimate Gift Cards for WooCommerce plugin for WordPress is vulnerable to boolean-based SQL Injection via the 'default_price' and 'product_id' parameters in all versions up to, and including, 3.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Ultimate Gift Cards for WooCommerce <= 3.1.4 - Authenticated (Administrator+) SQL Injection via wps_wgm_save_post Function
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wpswings Ultimate Gift Cards For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:55.346Z

Reserved: 2025-05-22T22:32:51.033Z

Link: CVE-2025-5103

cve-icon Vulnrichment

Updated: 2025-06-03T13:29:20.083Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-03T09:15:22.840

Modified: 2025-07-10T14:20:40.190

Link: CVE-2025-5103

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:30:27Z

Weaknesses