Introduction
An unauthenticated arbitrary file upload vulnerability in a popular WooCommerce plugin is being actively exploited in mass campaigns across thousands of WordPress sites, and no vendor patch exists yet. CVE-2026-45444 carries the maximum CVSS score of 10.0 and affects all versions of Gift Cards For WooCommerce Pro through 4.2.6.
WP Swings develops free and premium plugins for WooCommerce, the dominant ecommerce platform for WordPress. Gift Cards For WooCommerce Pro enables store owners to sell and manage digital and physical gift cards, gift certificates, and store credits. Given WooCommerce's massive footprint powering millions of online stores, plugins in this ecosystem represent a significant attack surface when vulnerabilities emerge.
Technical Information
CVE-2026-45444 is classified under CWE-434: Unrestricted Upload of File with Dangerous Type. The core issue is that the plugin fails to properly restrict the types of files that can be uploaded to the server, allowing an attacker to submit files with dangerous extensions (such as PHP scripts) without any authentication requirement.
The CVSS 3.1 vector string assigned by MITRE is:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Breaking this down:
- Attack Vector (AV:N): The vulnerability is exploitable over the network, meaning any attacker with HTTP access to the target site can reach the vulnerable endpoint.
- Attack Complexity (AC:L): No special conditions or preparation are needed beyond sending a crafted request.
- Privileges Required (PR:N): No authentication is required. This is the most dangerous classification for privilege requirements.
- User Interaction (UI:N): No action from a legitimate user is needed to trigger exploitation.
- Scope (S:C): The impact extends beyond the vulnerable component itself, meaning compromise of the plugin can lead to compromise of the entire hosting environment.
- Confidentiality, Integrity, Availability (C:H/I:H/A:H): All three are rated high, reflecting the potential for complete system takeover.
Attack Flow
Based on the available advisory information, the exploitation follows a straightforward pattern:
- The attacker identifies a WordPress site running Gift Cards For WooCommerce Pro version 4.2.6 or earlier.
- The attacker sends a crafted HTTP request to the vulnerable upload functionality, submitting a malicious file (e.g., a PHP web shell) without needing to authenticate.
- The plugin processes the upload without adequate file type validation, storing the malicious file on the server in a web accessible location.
- The attacker then requests the uploaded file via its URL, causing the server to execute the malicious code.
- With code execution achieved, the attacker has a backdoor into the server, enabling data exfiltration, lateral movement, defacement, or use of the server in further attacks.
The specific vulnerable parameter or endpoint has not been disclosed in public advisories as of this writing. The NVD assessment is still pending. Security teams should monitor Patchstack and NVD for updated technical indicators of compromise as they become available.
Affected Systems and Versions
The vulnerability affects:
- Plugin: Gift Cards For WooCommerce Pro (slug:
giftware) - Vendor: WP Swings
- Affected versions: All versions from the initial release through version 4.2.6 (inclusive)
- Platform: WordPress with WooCommerce
Version 4.2.6 was released on March 24, 2026. Its changelog references only compatibility updates and new features, with no security fixes noted. There is no version available that addresses this vulnerability.
Vendor Security History
WP Swings publicly states adherence to SOC 2, ISO 27001, and GDPR compliance frameworks on its security and compliances page. However, the response to CVE-2026-45444 reveals a notable gap. The latest available plugin version (4.2.6) predates the vulnerability disclosure by nearly two months and contains no security related changes in its changelog. As of May 20, 2026, the vendor has not released a patched version for a vulnerability that carries the maximum possible severity score and is confirmed to be under active exploitation. This disconnect between compliance certifications and real world vulnerability response timelines is worth noting for organizations that factor vendor security posture into procurement decisions.
References
- Patchstack Advisory: WordPress Gift Cards For WooCommerce Pro Plugin 4.2.6 Arbitrary File Upload Vulnerability
- NVD Entry: CVE-2026-45444
- MITRE CVE Record: CVE-2026-45444
- WP Swings Gift Cards For WooCommerce Pro Changelog
- WP Swings Security and Compliances
- WP Swings Gift Cards For WooCommerce Pro Product Page



