CVE-2026-57415 in Gift Vouchers Plugin
Summary
by MITRE • 07/13/2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codemenschen Gift Vouchers gift-voucher allows Stored XSS.This issue affects Gift Vouchers: from n/a through <= 4.7.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/13/2026
This cross-site scripting vulnerability resides within the Codemenschen Gift Vouchers plugin for WordPress, specifically impacting versions through 4.7.0. The flaw represents a classic stored XSS vulnerability that occurs when user input containing malicious scripts is not properly sanitized during web page generation processes. The vulnerability falls under CWE-79 which categorizes improper neutralization of input during web page generation as a primary weakness leading to XSS attacks.
The technical execution of this vulnerability involves an attacker submitting malicious script code through the gift voucher creation or modification interface. When other users view these vouchers, the stored payload executes in their browsers without proper sanitization or encoding. This allows attackers to inject malicious JavaScript that can steal session cookies, perform unauthorized actions on behalf of users, or redirect them to malicious sites.
The operational impact extends beyond simple script execution as it enables persistent attack vectors that can compromise user sessions and potentially lead to full account takeovers. Attackers can leverage this vulnerability to establish backdoors, exfiltrate sensitive data, or manipulate the gift voucher functionality itself. The stored nature of this XSS means that victims do not need to interact with a specific malicious link but are compromised whenever they view pages containing the malicious content.
From an ATT&CK framework perspective, this vulnerability maps to T1566.001 for initial access through malicious web content and T1071.001 for application layer protocol usage. The attack chain typically involves crafting malicious input that gets stored server-side and then executed client-side when legitimate users access the affected pages.
Mitigation strategies include immediate patching to version 4.7.1 or later where this vulnerability has been resolved. Administrators should implement comprehensive input validation and output encoding practices throughout the application. Additionally, implementing Content Security Policy headers can provide defense-in-depth measures against script execution. Regular security audits of third-party plugins and maintaining updated WordPress core installations remain critical defensive measures that prevent exploitation of similar vulnerabilities in other components of the web application stack.