Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme GIFT4U allows Blind SQL Injection.

This issue affects GIFT4U: from n/a through 1.0.10.
Published: 2026-06-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of special characters in an SQL command, classified as SQL Injection (CWE‑89). An attacker can craft input that is incorporated into database queries without proper sanitization, resulting in a blind SQL Injection that may allow reading or altering the WordPress site’s database. The defect could lead to compromise of sensitive information, disruption of service, or unauthorized data tampering.

Affected Systems

The flaw is present in the VillaTheme GIFT4U WordPress plugin version 1.0.10 and all earlier releases. Sites running this plugin, whether self‑hosted or via standard WordPress installations, are susceptible until the plugin is updated to version 1.1.0 or later.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely remote through the web interface of the plugin. While no exploit probability is provided, the high CVSS and the nature of the flaw suggest it could be exploited by unauthenticated attackers targeting exposed plugin endpoints.

Generated by OpenCVE AI on June 18, 2026 at 13:48 UTC.

Remediation

Vendor Solution

Update the WordPress GIFT4U Plugin to the latest available version (at least 1.1.0).


OpenCVE Recommended Actions

  • Upgrade the VillaTheme GIFT4U plugin to at least version 1.1.0, which contains the fix for the SQL Injection flaw.
  • If an upgrade is not immediately possible, disable the GIFT4U plugin or block access to its administrative endpoints until a patch is applied.
  • After applying the patch, perform a database integrity scan for any unintended that might have resulted from an earlier exploitation attempt.

Generated by OpenCVE AI on June 18, 2026 at 13:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Villatheme
Villatheme gift4u
Wordpress
Wordpress wordpress
Vendors & Products Villatheme
Villatheme gift4u
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme GIFT4U allows Blind SQL Injection. This issue affects GIFT4U: from n/a through 1.0.10.
Title WordPress GIFT4U plugin <= 1.0.10 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Villatheme Gift4u
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:27:51.550Z

Reserved: 2026-06-16T09:21:34.478Z

Link: CVE-2026-54809

cve-icon Vulnrichment

Updated: 2026-06-17T14:14:36.756Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:29Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')