CVE-2026-32412

Gift Up Gift Cards for WordPress and WooCommerce <= 3.1.7 - Unauthenticated Server-Side Request Forgery

highServer-Side Request Forgery (SSRF)
7.2
CVSS Score
7.2
CVSS Score
high
Severity
3.1.8
Patched in
70d
Time to patch

Description

The Gift Up Gift Cards for WordPress and WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.7. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.1.7
PublishedFebruary 25, 2026
Last updatedMay 5, 2026
Affected plugingift-up

What Changed in the Fix

Changes introduced in v3.1.8

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan: CVE-2026-32412 Gift Up Gift Cards SSRF ## 1. Vulnerability Summary The **Gift Up Gift Cards for WordPress and WooCommerce** plugin (<= 3.1.7) is vulnerable to **Unauthenticated Server-Side Request Forgery (SSRF)**. The vulnerability exists because the `GiftUp_API` class allows the …

Show full research plan

Research Plan: CVE-2026-32412 Gift Up Gift Cards SSRF

1. Vulnerability Summary

The Gift Up Gift Cards for WordPress and WooCommerce plugin (<= 3.1.7) is vulnerable to Unauthenticated Server-Side Request Forgery (SSRF). The vulnerability exists because the GiftUp_API class allows the API root URL (the base URL for all API requests) to be overridden via user-supplied input (likely a GET/POST parameter or HTTP header) without sufficient authentication or validation. This allows an unauthenticated attacker to redirect internal plugin API calls to arbitrary external or internal locations.

2. Attack Vector Analysis

  • Vulnerable Component: GiftUp_API class (specifically the invoke method or the mechanism that determines the API root).
  • Entry Point: Any unauthenticated action that triggers an API call, such as:
    1. Applying a gift card code via the WooCommerce cart/checkout (triggers GiftUp_API::get_gift_card).
    2. Accessing a page containing the [giftup] shortcode.
  • Payload Parameter: giftup_api_root (GET or POST parameter) or X-GiftUp-Api-Root (HTTP Header) — Note: giftup_api_root is the most likely candidate based on internal plugin logic patterns.
  • Authentication: None required (Unauthenticated).
  • Preconditions: WooCommerce must
Research Findings
Static analysis — not yet PoC-verified

Summary

The Gift Up Gift Cards for WordPress and WooCommerce plugin is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) because it allows the API base URL to be defined via a cookie value. This enables attackers to redirect internal plugin requests to arbitrary external or internal network addresses.

Vulnerable Code

// includes/class-giftup-api.php line 293

    public function api_root()
    {
        if (isset( $_COOKIE['giftup_api_root'] )) {
            return $_COOKIE['giftup_api_root'];
        }

        return 'https://api.giftup.app';
    }

    public function dashboard_root()
    {
        if (isset( $_COOKIE['giftup_dashboard_root'] )) {
            return $_COOKIE['giftup_dashboard_root'];
        }

        return 'https://giftup.app';
    }

    public function different_roots_enabled()
    {
        if (!empty( $_COOKIE['giftup_dashboard_root'] ) or !empty( $_COOKIE['giftup_api_root'] )) {
            return true;
        }

        return false;
    }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/gift-up/3.1.7/includes/class-giftup-api.php /home/deploy/wp-safety.org/data/plugin-versions/gift-up/3.1.8/includes/class-giftup-api.php
--- /home/deploy/wp-safety.org/data/plugin-versions/gift-up/3.1.7/includes/class-giftup-api.php	2025-05-28 13:58:38.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/gift-up/3.1.8/includes/class-giftup-api.php	2026-02-10 12:30:18.000000000 +0000
@@ -293,30 +293,13 @@
 
     public function api_root()
     {
-        if (isset( $_COOKIE['giftup_api_root'] )) {
-            return $_COOKIE['giftup_api_root'];
-        }
-
         return 'https://api.giftup.app';
     }
 
     public function dashboard_root()
     {
-        if (isset( $_COOKIE['giftup_dashboard_root'] )) {
-            return $_COOKIE['giftup_dashboard_root'];
-        }
-
         return 'https://giftup.app';
     }
-
-    public function different_roots_enabled()
-    {
-        if (!empty( $_COOKIE['giftup_dashboard_root'] ) or !empty( $_COOKIE['giftup_api_root'] )) {
-            return true;
-        }
-
-        return false;
-    }

Exploit Outline

An unauthenticated attacker can exploit this vulnerability by supplying a target internal or external URL within the 'giftup_api_root' cookie. Once this cookie is set, any action that triggers a plugin API call (such as applying a gift card code in the WooCommerce cart or accessing a page with the [giftup] shortcode) will cause the server to make a web request to the attacker-specified URL. No authentication is required to set the cookie or trigger the vulnerable API request.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.