CVE-2026-45444

Vulnerability

An unrestricted file upload vulnerability exists in WP Swings Gift Cards For WooCommerce Pro, a WordPress plugin. Versions from n/a through 4.2.6 are affected. The plugin fails to properly validate or restrict the types of files that can be uploaded, allowing an attacker to upload files with dangerous extensions (e.g., .php). This issue is known to be exploited in mass campaigns [1].

Exploitation

An attacker needs only network access to the WordPress site where the plugin is active; no authentication or special privileges are required. The attacker can directly use the plugin's file upload functionality to submit a malicious file, such as a web shell or backdoor. The file is then stored on the server and can be accessed via a web request, leading to code execution [1].

Impact

Successful exploitation enables arbitrary file upload, which typically results in remote code execution (RCE). An attacker can gain full control of the affected WordPress site, including the ability to read, modify, or delete data, install further malware, and pivot to other systems. The vulnerability is rated Critical with a CVSS v3 score of 10.0, and is listed as Known Exploitable Vulnerability (KEV) [1].

Mitigation

Update the Gift Cards For WooCommerce Pro plugin to a version later than 4.2.6. If an immediate update is not possible, restrict file upload capabilities via server-level controls (e.g., disallow execution in upload directories) and consult your hosting provider or web developer for assistance [1].