CVE-2025-47569

WPSwings · WooCommerce Ultimate Gift Card

The WPSwings WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to SQL injection, allowing attackers to manipulate database queries.

Executive summary

A critical SQL injection vulnerability in the WPSwings WooCommerce Ultimate Gift Card plugin allows unauthenticated attackers to access or modify sensitive database content.

Vulnerability

This vulnerability stems from the improper neutralization of special elements in SQL commands. An unauthenticated attacker can inject malicious SQL queries, potentially leading to unauthorized data exposure or administrative access to the database.

Business impact

The CVSS score of 9.3 highlights the extreme severity of this SQL injection, which directly threatens the confidentiality and integrity of the e-commerce database. Successful exploitation could result in the theft of customer records, payment information, or administrative credentials, leading to significant reputational and financial damage.

Remediation

Immediate Action: Consult the vendor advisory for the latest patched version of the WooCommerce Ultimate Gift Card plugin and update immediately.

Proactive Monitoring: Monitor database query logs for suspicious syntax or unexpected patterns, particularly those involving gift card management functions.

Compensating Controls: Deploy a WAF with specific rules to detect and block SQL injection attempts targeting WordPress plugin parameters.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the high CVSS score and the sensitive nature of e-commerce data, this vulnerability must be treated as a priority. Administrators should ensure the plugin is updated to the latest version provided by the vendor to eliminate the injection risk.