CVE-2025-31781

Vulnerability

The Gift Cards for WooCommerce plugin (woo-giftcards) versions 1.5.8 and below contain a missing authorization vulnerability [1]. The issue resides in the plugin's access control mechanisms, which are incorrectly configured, allowing exploitation without proper permission checks. The plugin requires WooCommerce to be installed and activated, with WooCommerce Coupons enabled in settings [1]. Affected versions include all releases from n/a through 1.5.8.

Exploitation

An attacker needs no special privileges or authentication, as the vulnerability lies in incorrectly configured access control security levels [1]. By crafting a request that bypasses permission checks, an attacker can exploit the missing authorization to perform actions that should require higher-level access. No user interaction is required beyond the attacker sending the exploit request.

Impact

Successful exploitation allows an attacker to access unauthorized functionality within the plugin, potentially leading to information disclosure or modification of gift card data [1]. The exact privilege level gained depends on the missing authorization, but it could enable an attacker to create, modify, or view gift cards without proper permissions, impacting the confidentiality and integrity of WooCommerce gift card operations.

Mitigation

As of the publication date, no fixed version has been released [1]. Users should update to a patched version once available and review their site's access control configurations. The plugin has not been updated since 2023-08-14 and has limited support [1]. There is no known workaround described in available references.