The flaw is an unrestricted upload of files with dangerous types that exists in the Gift Cards For WooCommerce Pro plugin. The plugin does not validate the file type for uploads, which allows an attacker to place a file containing malicious code—such as a PHP script—onto the WordPress server. While the CVE entry does not state that the uploaded file will automatically be executed, the nature of the arbitrary file upload combined with the availability of a script file implies a high likelihood that, once accessible, the file could be executed in the web context, providing the attacker with remote code execution capabilities.

WP Swings Gift Cards For WooCommerce Pro is affected in all releases up through version 4.2.6; no later release is known to contain a fix.

With a CVSS score of 10, the vulnerability is classified as critical. The absence of EPSS data makes it difficult to gauge real‑world exploitation frequency, but the high base score and lack of hardening measures suggest the risk is significant. The attack vector is likely through the plugin’s file upload interface: an attacker could either use the configuration page accessible to administrators or potentially submit a file via a publicly exposed upload endpoint if the plugin does not require authentication. Because the flaw allows uploading dangerous file types, the potential impact includes remote code execution, data exfiltration, and full site compromise. The vulnerability is not listed in CISA’s KEV catalog.