Security Alert Summary
A Server-Side Request Forgery (SSRF) vulnerability has been reported in the Gift Up Gift Cards for WordPress and WooCommerce plugin. The issue affects releases up to and including version 3.1.7 and may allow an unauthenticated actor to trigger requests from the server to arbitrary network resources reachable by the site.
CVE Details
- CVE ID:
CVE-2026-32412 - Affected component: Gift Up Gift Cards for WordPress and WooCommerce
- Affected versions: from n/a through <= 3.1.7 (the lower bound is listed as n/a in the CVE entry)
- Published: March 13, 2026 at 7:54:58 PM (time as provided in the CVE entry)
- Last modified: March 13, 2026 at 7:54:58 PM (time as provided in the CVE entry)
- CVSS v3.1 base score: 5.4; Severity: MEDIUM
- CVSS v3.1 vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N - Authentication / privileges / user interaction: Authentication not required; Privileges Required: NONE; User Interaction: NONE; Attack Complexity: HIGH; Scope: CHANGED
- Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
- Weakness (CWE): CWE-918 (Server-Side Request Forgery)
- Fixed version: Not specified in the CVE entry
Technical Details
The CVE description identifies a Server-Side Request Forgery (SSRF) vulnerability in the Gift Up Gift Cards for WordPress and WooCommerce plugin. According to the entry, the vulnerability allows server-side requests to be made by an attacker. The affected range is reported as “from n/a through <= 3.1.7.”
The CVE does not name specific PHP functions, WordPress hooks, or REST API endpoints associated with the issue. No additional implementation details or exploit code are provided in the CVE entry.
Because the vulnerability is an SSRF, an attacker who can trigger the flaw may cause the web server to make outgoing requests to internal or external resources that the server can reach. The provided CVSS metrics indicate that no authentication or user interaction is required but that attack complexity is high; the measured impact is low on confidentiality and integrity and none on availability.
How This Could Impact Your Website
Consider a site managed by an owner, with internal staff managing content and an external contractor installing and configuring plugins. If an attacker can exploit this SSRF, they could cause the site server to make requests to internal services (for example, administrative APIs or metadata endpoints) that are normally inaccessible from the public internet. This could expose limited confidential information reachable from the server and increase the risk of targeted phishing or social engineering if internal email addresses or other contact data are obtainable through those services.
The CVSS impacts are rated as low for confidentiality and integrity and none for availability, so this does not imply an immediate full site compromise. However, the presence of an SSRF increases the attack surface for reconnaissance and limited data disclosure.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Monitor official plugin channels and the CVE reference for a patched release; apply updates as soon as a fixed version is available.
- Until a patch is applied, limit exposure by restricting outbound connections from the web server where feasible (network-level controls or web host settings).
- Review and reduce unnecessary user roles and capabilities, especially for contributors or non-administrative accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce overall risk surface.
- Monitor site activity and server logs for unusual outbound requests or other suspicious behavior.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
