ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-45444 — Critical Arbitrary File Upload in WP Swings Gift Cards For WooCommerce Pro

A short review of CVE-2026-45444, a CVSS 10.0 unauthenticated arbitrary file upload vulnerability in the Gift Cards For WooCommerce Pro plugin by WP Swings, currently being exploited in the wild with no vendor patch available.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-20

Brief Summary: CVE-2026-45444 — Critical Arbitrary File Upload in WP Swings Gift Cards For WooCommerce Pro
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated arbitrary file upload vulnerability in a popular WooCommerce plugin is being actively exploited in mass campaigns across thousands of WordPress sites, and no vendor patch exists yet. CVE-2026-45444 carries the maximum CVSS score of 10.0 and affects all versions of Gift Cards For WooCommerce Pro through 4.2.6.

WP Swings develops free and premium plugins for WooCommerce, the dominant ecommerce platform for WordPress. Gift Cards For WooCommerce Pro enables store owners to sell and manage digital and physical gift cards, gift certificates, and store credits. Given WooCommerce's massive footprint powering millions of online stores, plugins in this ecosystem represent a significant attack surface when vulnerabilities emerge.

Technical Information

CVE-2026-45444 is classified under CWE-434: Unrestricted Upload of File with Dangerous Type. The core issue is that the plugin fails to properly restrict the types of files that can be uploaded to the server, allowing an attacker to submit files with dangerous extensions (such as PHP scripts) without any authentication requirement.

The CVSS 3.1 vector string assigned by MITRE is:

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Breaking this down:

  • Attack Vector (AV:N): The vulnerability is exploitable over the network, meaning any attacker with HTTP access to the target site can reach the vulnerable endpoint.
  • Attack Complexity (AC:L): No special conditions or preparation are needed beyond sending a crafted request.
  • Privileges Required (PR:N): No authentication is required. This is the most dangerous classification for privilege requirements.
  • User Interaction (UI:N): No action from a legitimate user is needed to trigger exploitation.
  • Scope (S:C): The impact extends beyond the vulnerable component itself, meaning compromise of the plugin can lead to compromise of the entire hosting environment.
  • Confidentiality, Integrity, Availability (C:H/I:H/A:H): All three are rated high, reflecting the potential for complete system takeover.

Attack Flow

Based on the available advisory information, the exploitation follows a straightforward pattern:

  1. The attacker identifies a WordPress site running Gift Cards For WooCommerce Pro version 4.2.6 or earlier.
  2. The attacker sends a crafted HTTP request to the vulnerable upload functionality, submitting a malicious file (e.g., a PHP web shell) without needing to authenticate.
  3. The plugin processes the upload without adequate file type validation, storing the malicious file on the server in a web accessible location.
  4. The attacker then requests the uploaded file via its URL, causing the server to execute the malicious code.
  5. With code execution achieved, the attacker has a backdoor into the server, enabling data exfiltration, lateral movement, defacement, or use of the server in further attacks.

The specific vulnerable parameter or endpoint has not been disclosed in public advisories as of this writing. The NVD assessment is still pending. Security teams should monitor Patchstack and NVD for updated technical indicators of compromise as they become available.

Affected Systems and Versions

The vulnerability affects:

  • Plugin: Gift Cards For WooCommerce Pro (slug: giftware)
  • Vendor: WP Swings
  • Affected versions: All versions from the initial release through version 4.2.6 (inclusive)
  • Platform: WordPress with WooCommerce

Version 4.2.6 was released on March 24, 2026. Its changelog references only compatibility updates and new features, with no security fixes noted. There is no version available that addresses this vulnerability.

Vendor Security History

WP Swings publicly states adherence to SOC 2, ISO 27001, and GDPR compliance frameworks on its security and compliances page. However, the response to CVE-2026-45444 reveals a notable gap. The latest available plugin version (4.2.6) predates the vulnerability disclosure by nearly two months and contains no security related changes in its changelog. As of May 20, 2026, the vendor has not released a patched version for a vulnerability that carries the maximum possible severity score and is confirmed to be under active exploitation. This disconnect between compliance certifications and real world vulnerability response timelines is worth noting for organizations that factor vendor security posture into procurement decisions.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization