CVE-2023-5703 in Gift Up Gift Cards Plugininfo

Summary

by MITRE • 11/07/2023

The Gift Up Gift Cards for WordPress and WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'giftup' shortcode in all versions up to, and including, 2.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/11/2026

The vulnerability identified as CVE-2023-5703 affects the Gift Up Gift Cards plugin for WordPress and WooCommerce, representing a critical stored cross-site scripting vulnerability that compromises the security of WordPress installations. This flaw exists within the plugin's 'giftup' shortcode implementation and impacts all versions up to and including 2.20.1, making it a widespread concern for WordPress administrators and security professionals. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or sanitize user-supplied attributes before processing them within the shortcode functionality.

The technical exploitation of this vulnerability occurs through the manipulation of the giftup shortcode attributes, where authenticated attackers possessing contributor-level permissions or higher can inject malicious scripts that persist within the plugin's processing logic. These injected scripts become stored within the WordPress database and execute whenever any user accesses pages containing the compromised shortcode, creating a persistent threat vector that can affect multiple users simultaneously. The vulnerability specifically targets the plugin's handling of user input through shortcode parameters, bypassing standard WordPress security measures that typically protect against such attacks.

From an operational perspective, this vulnerability poses significant risks to WordPress sites running the affected plugin, as it allows attackers to execute arbitrary web scripts in the context of any user's browser session. The impact extends beyond simple script execution, potentially enabling session hijacking, credential theft, or redirection to malicious websites. Since the vulnerability requires only contributor-level permissions, it represents a particularly concerning threat vector as it can be exploited by users who have relatively low privileges within the WordPress administration system, making it difficult to detect and prevent through standard access control measures. The stored nature of the vulnerability means that once exploited, the malicious code remains persistent until manually removed by administrators.

The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and demonstrates characteristics consistent with ATT&CK technique T1566.001 related to spearphishing attachments and T1566.002 for spearphishing via social media. Organizations should immediately implement mitigation strategies including updating to the latest plugin version, implementing proper input validation, and conducting thorough security audits of all installed plugins. Additionally, administrators should consider implementing network monitoring to detect suspicious shortcode usage patterns and establish regular security assessments to identify potential exploitation attempts. The vulnerability highlights the critical importance of proper input sanitization and output escaping in web applications, particularly those handling user-generated content within WordPress environments where multiple user roles and permissions exist.

Responsible

Wordfence

Reservation

10/22/2023

Disclosure

11/07/2023

Moderation

accepted

CPE

ready

EPSS

0.00590

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!