cbcvebase.
CVE-2023-28662
published 2023-03-22

CVE-2023-28662: The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template…

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
42.19%
98.5th percentile
The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the wpgv_doajax_voucher_pdf_save_func action.

Affected

1 ranges
VendorProductVersion rangeFixed in
codemenschengift_vouchers<= 4.3.1

Detection & IOCsextracted from sources · hover to see the quote

sigma
status_code == 500 AND contains(body, 'critical error')
bytes
4a0a0047304502200c8cc804649ad5618df74bf706b26cadc98b07f41af62b6f0c674ada64c38582022100db07713b49d9ab766190ba1b39f6fc4f4c9d7e158c679c899dd116cab1363389:922c64590222798bb761d5b6d8e72950
  • Monitor for unauthenticated POST requests targeting the WordPress AJAX action 'wpgv_doajax_voucher_pdf_save_func' with a manipulated 'template' parameter, which is the injection point for this SQLi vulnerability.
  • A successful exploitation attempt may result in an HTTP 500 response containing 'critical error' in the response body — use this as a detection signal for blind/error-based SQLi probing against this plugin.
  • ·The vulnerability affects Gift Cards (Gift Vouchers and Packages) WordPress Plugin versions up to and including 4.3.1. Ensure version scope is confirmed before applying detections, as patched versions may not be affected.
  • ·The nuclei-style template targets 'Wordpress Gift Cards =6' as a matcher tag — detection rules should be scoped to environments running this specific plugin and version range.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.