{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32412", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:19.857Z", "datePublished": "2026-03-13T11:42:14.544Z", "dateUpdated": "2026-04-29T09:51:59.019Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "gift-up", "product": "Gift Up Gift Cards for WordPress and WooCommerce", "vendor": "Gift Up!", "versions": [{"changes": [{"at": "3.1.8", "status": "unaffected"}], "lessThanOrEqual": "3.1.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:10.298Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Gift Up! Gift Up Gift Cards for WordPress and WooCommerce gift-up allows Server Side Request Forgery.<p>This issue affects Gift Up Gift Cards for WordPress and WooCommerce: from n/a through <= 3.1.7.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in Gift Up! Gift Up Gift Cards for WordPress and WooCommerce gift-up allows Server Side Request Forgery.This issue affects Gift Up Gift Cards for WordPress and WooCommerce: from n/a through <= 3.1.7."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:59.019Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/gift-up/vulnerability/wordpress-gift-up-gift-cards-for-wordpress-and-woocommerce-plugin-3-1-7-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "title": "WordPress Gift Up Gift Cards for WordPress and WooCommerce plugin <= 3.1.7 - Server Side Request Forgery (SSRF) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T18:26:36.653747Z", "id": "CVE-2026-32412", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:27:03.463Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32412", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T18:26:36.653747Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:25:51.061Z"}}], "cna": {"title": "WordPress Gift Up Gift Cards for WordPress and WooCommerce plugin <= 3.1.7 - Server Side Request Forgery (SSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "Server Side Request Forgery"}]}], "affected": [{"vendor": "Gift Up!", "product": "Gift Up Gift Cards for WordPress and WooCommerce", "versions": [{"status": "affected", "changes": [{"at": "3.1.8", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 3.1.7"}], "packageName": "gift-up", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T12:41:18.889Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/gift-up/vulnerability/wordpress-gift-up-gift-cards-for-wordpress-and-woocommerce-plugin-3-1-7-server-side-request-forgery-ssrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Gift Up! Gift Up Gift Cards for WordPress and WooCommerce gift-up allows Server Side Request Forgery.This issue affects Gift Up Gift Cards for WordPress and WooCommerce: from n/a through <= 3.1.7.", "supportingMedia": [{"type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Gift Up! Gift Up Gift Cards for WordPress and WooCommerce gift-up allows Server Side Request Forgery.<p>This issue affects Gift Up Gift Cards for WordPress and WooCommerce: from n/a through <= 3.1.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:42:14.544Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32412", "state": "PUBLISHED", "dateUpdated": "2026-03-13T18:27:03.463Z", "dateReserved": "2026-03-12T11:11:19.857Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:14.544Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Gift Up! Gift Up Gift Cards for WordPress and WooCommerce gift-up allows Server Side Request Forgery.This issue affects Gift Up Gift Cards for WordPress and WooCommerce: from n/a through <= 3.1.7."}, {"lang": "es", "value": "Una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en Gift Up! Gift Up Gift Cards para WordPress y WooCommerce gift-up permite la falsificaci\u00f3n de petici\u00f3n del lado del servidor. Este problema afecta a Gift Up Gift Cards para WordPress y WooCommerce: desde n/a hasta &lt;= 3.1.7."}], "id": "CVE-2026-32412", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:58.203", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/gift-up/vulnerability/wordpress-gift-up-gift-cards-for-wordpress-and-woocommerce-plugin-3-1-7-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.7]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "3.1.8"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Gift Up Gift Cards for WordPress and WooCommerce", "source": "cna", "vendor": "Gift Up!"}, "product": "gift_up_gift_cards_for_wordpress_and_woocommerce", "vendor": "giftup"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T16:37:09.264580+00:00", "value": {"mitigation_remediation": ["Update the Gift Up! plugin to version 3.1.8 or later to remove the SSRF flaw", "If an immediate update is not possible, disable or delete the plugin to eliminate the attack vector", "Monitor outgoing network traffic from the web server for unexpected outbound requests that may indicate exploitation attempts", "Configure the site\u2019s firewall or intrusion detection system to alert on unusual outbound HTTP requests originating from the server"], "summary": {"action": "Patch", "impact": "Server Side Request Forgery (SSRF)"}, "threat_synthesis": {"affected_systems": "All releases of the Gift Up! Gift Cards for WordPress and WooCommerce plugin from the initial release through version 3.1.7 inclusive are affected.", "description_and_impact": "The Gift Up! Gift Cards for WordPress and WooCommerce plugin contains a Server Side Request Forgery (SSRF) flaw (CWE-918). This vulnerability allows a malicious actor to instruct the server to make HTTP requests to arbitrary URLs, which can result in the disclosure of internal network information or the retrieval of sensitive data from other services. The specific consequences depend on the target URL and the server\u2019s network context, and are not detailed in the vendor\u2019s description.", "risk_and_exploitability": "The CVSS base score is 5.4, indicating moderate severity. The EPSS score is below 1%, suggesting a low current likelihood of exploitation. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the SSRF can be triggered via plugin administrative or promotional endpoints that accept user-supplied URLs, enabling remote attackers to send arbitrary outbound requests from the server."}}}}, "created": "2026-03-16T09:34:00.669024+00:00", "updated": "2026-03-23T12:03:50.916968+00:00", "vendors": ["giftup", "giftup$PRODUCT$gift_up_gift_cards_for_wordpress_and_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}