CVE-2023-5703 in Gift Up Gift Cards Plugin
Summary
by MITRE • 11/07/2023
The Gift Up Gift Cards for WordPress and WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'giftup' shortcode in all versions up to, and including, 2.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2023-5703 affects the Gift Up Gift Cards plugin for WordPress and WooCommerce, representing a critical stored cross-site scripting vulnerability that compromises the security of WordPress installations. This flaw exists within the plugin's 'giftup' shortcode implementation and impacts all versions up to and including 2.20.1, making it a widespread concern for WordPress administrators and security professionals. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or sanitize user-supplied attributes before processing them within the shortcode functionality.
The technical exploitation of this vulnerability occurs through the manipulation of the giftup shortcode attributes, where authenticated attackers possessing contributor-level permissions or higher can inject malicious scripts that persist within the plugin's processing logic. These injected scripts become stored within the WordPress database and execute whenever any user accesses pages containing the compromised shortcode, creating a persistent threat vector that can affect multiple users simultaneously. The vulnerability specifically targets the plugin's handling of user input through shortcode parameters, bypassing standard WordPress security measures that typically protect against such attacks.
From an operational perspective, this vulnerability poses significant risks to WordPress sites running the affected plugin, as it allows attackers to execute arbitrary web scripts in the context of any user's browser session. The impact extends beyond simple script execution, potentially enabling session hijacking, credential theft, or redirection to malicious websites. Since the vulnerability requires only contributor-level permissions, it represents a particularly concerning threat vector as it can be exploited by users who have relatively low privileges within the WordPress administration system, making it difficult to detect and prevent through standard access control measures. The stored nature of the vulnerability means that once exploited, the malicious code remains persistent until manually removed by administrators.
The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and demonstrates characteristics consistent with ATT&CK technique T1566.001 related to spearphishing attachments and T1566.002 for spearphishing via social media. Organizations should immediately implement mitigation strategies including updating to the latest plugin version, implementing proper input validation, and conducting thorough security audits of all installed plugins. Additionally, administrators should consider implementing network monitoring to detect suspicious shortcode usage patterns and establish regular security assessments to identify potential exploitation attempts. The vulnerability highlights the critical importance of proper input sanitization and output escaping in web applications, particularly those handling user-generated content within WordPress environments where multiple user roles and permissions exist.