Gift Up Gift Cards for WordPress and WooCommerce <= 3.1.7 - Unauthenticated Server-Side Request Forgery
Description
The Gift Up Gift Cards for WordPress and WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.7. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v3.1.8
Source Code
WordPress.org SVN# Research Plan: CVE-2026-32412 Gift Up Gift Cards SSRF ## 1. Vulnerability Summary The **Gift Up Gift Cards for WordPress and WooCommerce** plugin (<= 3.1.7) is vulnerable to **Unauthenticated Server-Side Request Forgery (SSRF)**. The vulnerability exists because the `GiftUp_API` class allows the …
Show full research plan
Research Plan: CVE-2026-32412 Gift Up Gift Cards SSRF
1. Vulnerability Summary
The Gift Up Gift Cards for WordPress and WooCommerce plugin (<= 3.1.7) is vulnerable to Unauthenticated Server-Side Request Forgery (SSRF). The vulnerability exists because the GiftUp_API class allows the API root URL (the base URL for all API requests) to be overridden via user-supplied input (likely a GET/POST parameter or HTTP header) without sufficient authentication or validation. This allows an unauthenticated attacker to redirect internal plugin API calls to arbitrary external or internal locations.
2. Attack Vector Analysis
- Vulnerable Component:
GiftUp_APIclass (specifically theinvokemethod or the mechanism that determines the API root). - Entry Point: Any unauthenticated action that triggers an API call, such as:
- Applying a gift card code via the WooCommerce cart/checkout (triggers
GiftUp_API::get_gift_card). - Accessing a page containing the
[giftup]shortcode.
- Applying a gift card code via the WooCommerce cart/checkout (triggers
- Payload Parameter:
giftup_api_root(GET or POST parameter) orX-GiftUp-Api-Root(HTTP Header) — Note:giftup_api_rootis the most likely candidate based on internal plugin logic patterns. - Authentication: None required (Unauthenticated).
- Preconditions: WooCommerce must
Summary
The Gift Up Gift Cards for WordPress and WooCommerce plugin is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) because it allows the API base URL to be defined via a cookie value. This enables attackers to redirect internal plugin requests to arbitrary external or internal network addresses.
Vulnerable Code
// includes/class-giftup-api.php line 293 public function api_root() { if (isset( $_COOKIE['giftup_api_root'] )) { return $_COOKIE['giftup_api_root']; } return 'https://api.giftup.app'; } public function dashboard_root() { if (isset( $_COOKIE['giftup_dashboard_root'] )) { return $_COOKIE['giftup_dashboard_root']; } return 'https://giftup.app'; } public function different_roots_enabled() { if (!empty( $_COOKIE['giftup_dashboard_root'] ) or !empty( $_COOKIE['giftup_api_root'] )) { return true; } return false; }
Security Fix
@@ -293,30 +293,13 @@ public function api_root() { - if (isset( $_COOKIE['giftup_api_root'] )) { - return $_COOKIE['giftup_api_root']; - } - return 'https://api.giftup.app'; } public function dashboard_root() { - if (isset( $_COOKIE['giftup_dashboard_root'] )) { - return $_COOKIE['giftup_dashboard_root']; - } - return 'https://giftup.app'; } - - public function different_roots_enabled() - { - if (!empty( $_COOKIE['giftup_dashboard_root'] ) or !empty( $_COOKIE['giftup_api_root'] )) { - return true; - } - - return false; - }
Exploit Outline
An unauthenticated attacker can exploit this vulnerability by supplying a target internal or external URL within the 'giftup_api_root' cookie. Once this cookie is set, any action that triggers a plugin API call (such as applying a gift card code in the WooCommerce cart or accessing a page with the [giftup] shortcode) will cause the server to make a web request to the attacker-specified URL. No authentication is required to set the cookie or trigger the vulnerable API request.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.