CVE-2026-57415
Received Received - Intake

Stored XSS in Gift Vouchers WordPress Plugin

Vulnerability report for CVE-2026-57415, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: Patchstack

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codemenschen Gift Vouchers gift-voucher allows Stored XSS.This issue affects Gift Vouchers: from n/a through <= 4.7.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
codemenschen gift_voucher From 4.7.0|end_including=4.7.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-site Scripting (XSS) issue in the WordPress Gift Vouchers Plugin versions 4.7.0 and below. It occurs due to improper neutralization of input during web page generation, allowing attackers to inject malicious scripts into the website.

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page, which then enables attackers to execute scripts like redirects or advertisements on the affected site.

Impact Analysis

If exploited, this vulnerability can allow attackers to inject malicious scripts into your website, potentially leading to unauthorized actions such as redirecting users to malicious sites or displaying unwanted advertisements.

Because the vulnerability is unauthenticated and has a moderate severity score (CVSS 7.1), it poses a significant risk, especially in mass exploitation campaigns targeting many websites.

Successful exploitation requires user interaction, but the impact can include compromised user trust, data theft, or further attacks leveraging the injected scripts.

Detection Guidance

This vulnerability is a Stored Cross-Site Scripting (XSS) in the WordPress Gift Vouchers Plugin versions 4.7.0 and below. Detection typically involves checking the plugin version and monitoring for suspicious script injections or unusual behavior on affected web pages.

You can detect the vulnerability by verifying the installed plugin version using WordPress CLI commands or by inspecting the plugin files.

  • Check the plugin version via WP-CLI: wp plugin list | grep gift-voucher
  • Search for suspicious script tags or payloads in the database entries related to gift vouchers, for example using SQL queries on the WordPress database.
  • Monitor HTTP requests and responses for injected scripts or unexpected redirects that may indicate exploitation.
Mitigation Strategies

The immediate recommended step is to update the WordPress Gift Vouchers Plugin to version 4.7.1 or later, where the vulnerability is patched.

Until the update can be applied, apply the mitigation rule provided by Patchstack to block attacks targeting this vulnerability.

  • Update the plugin to version 4.7.1 or newer.
  • Implement the Patchstack mitigation rule to block malicious payloads.
  • Educate users to avoid clicking suspicious links or visiting untrusted pages that could trigger the XSS.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57415. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart