CVE-2026-57396 in Free Gifts for WooCommerce Plugininfo

Summary

by MITRE • 07/13/2026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Flintop Free Gifts for WooCommerce free-gifts-for-woocommerce allows Stored XSS.This issue affects Free Gifts for WooCommerce: from n/a through <= 13.1.0.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/13/2026

This vulnerability represents a critical cross-site scripting flaw classified as CWE-79 in the Common Weakness Enumeration catalog, which occurs when web applications fail to properly sanitize user input before incorporating it into dynamic web page content. The issue specifically manifests within the Flintop Free Gifts for WooCommerce plugin where stored cross-site scripting attacks can be executed through improperly neutralized input during web page generation processes. Attackers can exploit this weakness by injecting malicious script code into gift configurations or product descriptions that are then stored in the database and subsequently rendered to other users visiting affected pages. The vulnerability impacts versions of the Free Gifts for WooCommerce plugin from version n/a up to and including version 13.1.0, indicating a broad range of affected releases that may have been deployed across numerous wordpress ecommerce installations.

The technical exploitation of this stored XSS vulnerability follows the ATT&CK framework pattern T1566.001 for initial access through malicious web content, where attackers craft specially formatted input containing javascript payloads that persist in the application's database. When legitimate users browse pages displaying these stored malicious inputs, their browsers execute the embedded scripts within the context of their authenticated sessions, potentially enabling session hijacking, credential theft, or redirection to malicious sites. The flaw demonstrates poor input validation and output encoding practices where user-supplied data flows directly into html generation without appropriate sanitization measures such as html entity encoding or content security policy enforcement.

The operational impact of this vulnerability extends beyond simple script execution to encompass significant security risks for ecommerce platforms relying on the affected plugin. Attackers could leverage this weakness to steal administrator credentials, modify product information, manipulate gift offerings, or redirect customers to phishing sites that mimic legitimate online stores. The stored nature of the vulnerability means that once exploited, malicious scripts persist until manually removed from the database, creating ongoing security exposure for all users who encounter the compromised content. This type of vulnerability particularly threatens online retailers where customer data and transaction information are processed through wordpress platforms.

Mitigation strategies should prioritize immediate plugin updates to versions that address the identified XSS vulnerability while implementing additional defensive measures such as input validation at multiple layers including client-side and server-side sanitization. Organizations should deploy content security policies to prevent execution of unauthorized scripts, implement proper output encoding for all dynamic content generation, and conduct regular security assessments of third-party plugins. The remediation process must include thorough verification that user inputs are properly sanitized before database storage and that rendered content maintains appropriate security boundaries to prevent script injection attacks. Security teams should also establish monitoring procedures to detect unusual patterns in plugin usage or unexpected modifications to stored data that might indicate exploitation attempts.

Responsible

Patchstack

Reservation

06/24/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00251

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!