Platform
wordpress
Component
woocommerce-ultimate-gift-card
Opgelost in
2.9.7
CVE-2025-47569 describes a critical SQL Injection vulnerability discovered in the WooCommerce Ultimate Gift Card plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 up to and including 2.9.6. A patch is available in version 2.9.7.
The SQL Injection vulnerability in WooCommerce Ultimate Gift Card poses a significant risk to WordPress sites utilizing this plugin. An attacker could leverage this flaw to bypass authentication mechanisms and directly query the database, potentially extracting sensitive information such as user credentials, gift card codes, customer data, and order details. Successful exploitation could lead to complete compromise of the WooCommerce store and associated data. The blind nature of the injection means that the attacker may need to perform numerous queries to extract data, but the potential impact remains severe. This vulnerability shares similarities with other SQL injection attacks where database contents are exfiltrated without direct error messages.
CVE-2025-47569 was publicly disclosed on 2025-09-09. The vulnerability's severity is classified as CRITICAL with a CVSS score of 9.3. As of this writing, there are no known public exploits or active campaigns targeting this specific vulnerability. It is listed on the NVD database. The potential for exploitation remains high due to the ease of SQL injection attacks and the widespread use of WordPress and WooCommerce.
WordPress sites utilizing the WooCommerce Ultimate Gift Card plugin, particularly those running versions 0.0.0 through 2.9.6, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites with weak database security configurations are also at increased risk.
• wordpress / composer / npm:
grep -r "wp_query('SELECT * FROM `wp_gift_cards` where 1=1" /var/www/html/wp-content/plugins/woocommerce-ultimate-gift-card• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/woocommerce-ultimate-gift-card/ | grep -i "SQL Injection"• wordpress / composer / npm:
wp plugin list --status=inactive | grep woocommerce-ultimate-gift-carddisclosure
Exploit Status
EPSS
0.03% (10% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-47569 is to immediately upgrade the WooCommerce Ultimate Gift Card plugin to version 2.9.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. Monitor WordPress access logs for suspicious SQL queries or unusual database activity. Regular security audits and penetration testing are also recommended to identify and address potential vulnerabilities.
Update to version 2.9.7, or a newer patched version
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-47569 is a critical SQL Injection vulnerability affecting WooCommerce Ultimate Gift Card versions 0.0.0–2.9.6, allowing attackers to extract data via blind SQL injection.
If you are using WooCommerce Ultimate Gift Card versions 0.0.0 through 2.9.6, you are affected by this vulnerability and must upgrade immediately.
Upgrade WooCommerce Ultimate Gift Card to version 2.9.7 or later to remediate the SQL Injection vulnerability. Consider disabling the plugin if immediate upgrade is not possible.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate action.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.