CVE-2026-45444: Critical File Upload Flaw in Gift Cards For WooCommerce Pro
The National Vulnerability Database has disclosed CVE-2026-45444, a critical vulnerability impacting the Gift Cards For WooCommerce Pro plugin. This flaw, rated a perfect 10.0 CVSS, allows for unrestricted file uploads of dangerous types, specifically enabling the use of malicious files.
This vulnerability affects Gift Cards For WooCommerce Pro versions up to and including 4.2.6. The ability for an unauthenticated attacker to upload arbitrary malicious files translates directly into remote code execution (RCE). This isn’t just a defacement risk; it’s a full compromise of the underlying server.
Attackers will leverage this to establish persistent access, exfiltrate data, or pivot to other systems on the network. The low attack complexity and lack of required authentication make this an extremely attractive target for opportunistic threat actors. Defenders must treat this with the highest urgency.
What This Means For You
- If your organization uses Gift Cards For WooCommerce Pro, check your version immediately. Any version up to 4.2.6 is vulnerable to full server compromise via unrestricted file upload. Patching this is non-negotiable and should be your top priority. Assume compromise if you were running an affected version unpatched.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-45444: Unrestricted File Upload in Gift Cards for WooCommerce Pro
title: CVE-2026-45444: Unrestricted File Upload in Gift Cards for WooCommerce Pro
id: scw-2026-05-20-ai-1
status: experimental
level: critical
description: |
Detects the unrestricted file upload vulnerability (CVE-2026-45444) in the Gift Cards for WooCommerce Pro plugin. This rule looks for POST requests targeting the plugin's directory, returning a 200 status code, and attempting to upload a PHP file with directory traversal characters, which is indicative of an exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-45444/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/wp-content/plugins/gift-cards-for-woocommerce-pro/'
cs-method|contains:
- 'POST'
sc-status|exact:
- 200
uri|contains:
- '.php'
uri|contains:
- '..'
selection_upload:
uri|contains:
- '.php'
uri|contains:
- '..'
uri|contains:
- 'wp-content/uploads/'
condition: selection AND selection_upload
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-45444 | RCE | WP Swings Gift Cards For WooCommerce Pro |
| CVE-2026-45444 | RCE | Gift Cards For WooCommerce Pro versions through 4.2.6 |
| CVE-2026-45444 | Unrestricted Upload | Unrestricted Upload of File with Dangerous Type |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 20, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-4811 — Cross-Site Scripting (XSS)
CVE-2026-4811 — The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting...
CVE-2026-1881 — The Broadstreet plugin for WordPress is vulnerable to
CVE-2026-1881 — The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta...
CVE-2026-9149 — Libsolv Buffer Overflow
CVE-2026-9149 — A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative...