CVE-2026-24375

Ultimate Gift Cards for WooCommerce <= 3.2.4 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
3.2.5
Patched in
117d
Time to patch

Description

The Ultimate Gift Cards for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.2.4
PublishedJanuary 8, 2026
Last updatedMay 4, 2026
Affected pluginwoo-gift-cards-lite

What Changed in the Fix

Changes introduced in v3.2.5

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Vulnerability Research Plan: CVE-2026-24375 - Missing Authorization in Ultimate Gift Cards for WooCommerce ## 1. Vulnerability Summary The **Ultimate Gift Cards for WooCommerce** plugin (versions <= 3.2.4) contains a missing authorization vulnerability within its onboarding and notice management …

Show full research plan

Vulnerability Research Plan: CVE-2026-24375 - Missing Authorization in Ultimate Gift Cards for WooCommerce

1. Vulnerability Summary

The Ultimate Gift Cards for WooCommerce plugin (versions <= 3.2.4) contains a missing authorization vulnerability within its onboarding and notice management logic. Specifically, the plugin registers several AJAX handlers using the wp_ajax_nopriv_ prefix, making them accessible to unauthenticated users. These handlers lack both capability checks (e.g., current_user_can('manage_options')) and nonce verification, allowing any visitor to modify plugin options or dismiss administrative alerts.

The primary vulnerable component is the Makewebbetter_Onboarding_Helper class, which handles the initial plugin setup wizard.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Actions: send_onboarding_data and skip_onboarding_popup
  • Vulnerability Type: Missing Authorization (and Missing Nonce Check)
  • Authentication: None (Unauthenticated)
  • Preconditions: The plugin must be active.

3. Code Flow

  1. Registration: In includes/class-makewebbetter-onboarding-helper.php, the constructor registers the following hooks:
    add_action( 'wp_ajax_send_onboarding_data', array( $this, 'send_onboarding_data' ) );
    add
    
Research Findings
Static analysis — not yet PoC-verified

Summary

The Ultimate Gift Cards for WooCommerce plugin suffers from missing authorization and nonce verification in several AJAX endpoints, most notably during the onboarding process and smart coupon migration. This allows unauthenticated or low-privileged attackers to trigger sensitive administrative tasks, such as migrating database records or modifying plugin configuration data.

Vulnerable Code

// includes/class-makewebbetter-onboarding-helper.php line 135
// Ajax to send data.
add_action( 'wp_ajax_send_onboarding_data', array( $this, 'send_onboarding_data' ) );
add_action( 'wp_ajax_nopriv_send_onboarding_data', array( $this, 'send_onboarding_data' ) );

// Ajax to Skip popup.
add_action( 'wp_ajax_skip_onboarding_popup', array( $this, 'skip_onboarding_popup' ) );
add_action( 'wp_ajax_nopriv_skip_onboarding_popup', array( $this, 'skip_onboarding_popup' ) );

---

// admin/class-woocommerce-gift-cards-lite-admin.php around line 2556
/**
 * Migrate smart coupons to giftcards
 * 
 * @name wps_wgm_migrate_smart_coupons_to_giftcards()
 */
public function wps_wgm_migrate_smart_coupons_to_giftcards() {
    // No check_ajax_referer or current_user_can checks before performing DB operations
    global $wpdb;
    // ... (logic continues)

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/woo-gift-cards-lite/3.2.4/admin/class-woocommerce-gift-cards-lite-admin.php /home/deploy/wp-safety.org/data/plugin-versions/woo-gift-cards-lite/3.2.5/admin/class-woocommerce-gift-cards-lite-admin.php
--- /home/deploy/wp-safety.org/data/plugin-versions/woo-gift-cards-lite/3.2.4/admin/class-woocommerce-gift-cards-lite-admin.php	2026-01-05 09:27:18.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/woo-gift-cards-lite/3.2.5/admin/class-woocommerce-gift-cards-lite-admin.php	2026-01-28 13:15:36.000000000 +0000
@@ -2556,6 +2556,12 @@
 	 * @name wps_wgm_migrate_smart_coupons_to_giftcards()
 	 */
 	public function wps_wgm_migrate_smart_coupons_to_giftcards() {
+
+		check_ajax_referer( 'wps-wgm-verify-nonce', 'nonce' );
+		if ( ! current_user_can( 'manage_options' ) ) {
+  			return;
+		}
+
 		global $wpdb;
 
 		$general_settings  = get_option( 'wps_wgm_general_settings', array() );
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/woo-gift-cards-lite/3.2.4/admin/js/woocommerce_gift_cards_lite-admin.js /home/deploy/wp-safety.org/data/plugin-versions/woo-gift-cards-lite/3.2.5/admin/js/woocommerce_gift_cards_lite-admin.js
--- /home/deploy/wp-safety.org/data/plugin-versions/woo-gift-cards-lite/3.2.4/admin/js/woocommerce_gift_cards_lite-admin.js	2026-01-05 09:27:18.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/woo-gift-cards-lite/3.2.5/admin/js/woocommerce_gift_cards_lite-admin.js	2026-01-28 13:15:36.000000000 +0000
@@ -496,7 +502,10 @@
 				"click",
 				"#wps_wgm_transfer_smart_coupons",
 				function() {
-					var data = { action:'wps_migrate_smart_coupons_to_giftcards' };
+					var data = {
+						action:'wps_migrate_smart_coupons_to_giftcards',
+						nonce : wps_wgc.wps_wgm_nonce
+					};
 					$("#wps_wgm_loader_other").show();
 
 					$.ajax({

Exploit Outline

The exploit involves sending an unauthenticated or low-privileged AJAX request to the WordPress backend. An attacker can target `/wp-admin/admin-ajax.php` with the POST action `wps_migrate_smart_coupons_to_giftcards` or onboarding-related actions such as `send_onboarding_data`. Because the plugin uses `wp_ajax_nopriv_` for onboarding and fails to verify user capabilities or nonces in the migration handler, the attacker can execute these functions to manipulate database state or plugin settings without providing any valid administrative credentials.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.