CVE-2025-58878

The WooCommerce Gifts Product plugin for WordPress (versions up to and including 1.0.0) contains a Cross-Site Request Forgery (CSRF) vulnerability. The plugin fails to properly validate or verify nonce tokens on certain requests, allowing an attacker to craft malicious requests that are executed in the context of an authenticated administrator or other privileged user [1].

Exploitation requires user interaction: the victim must click a malicious link, visit a crafted page, or submit a specially designed form while logged into the WordPress admin panel. No direct network access to the victim's browser is sufficient; no additional authentication is needed for the attacker beyond the victim's existing session [1].

Successful exploitation could allow an attacker to force the victim to perform unintended actions, such as changing plugin settings, modifying gift product configurations, or performing other administrative operations without the victim's knowledge. This can lead to partial loss of integrity and availability of the affected site [1].

The vendor has not released a patched version; users are advised to update the plugin as soon as a fix becomes available. As an immediate workaround, immediate workaround, site administrators can implement additional CSRF protections or disable the plugin until a patch is applied [1].