CVE-2024-11423: 
WordPress vulnerability analysis and mitigation

The Ultimate Gift Cards for WooCommerce plugin for WordPress contains a vulnerability (CVE-2024-11423) discovered in versions up to and including 3.0.6. The vulnerability stems from missing authorization checks on several REST API endpoints, particularly /wp-json/gifting/recharge-giftcard. This security flaw was disclosed on January 8, 2025 (NVD, Wordfence).

The vulnerability is classified as a missing authorization vulnerability (CWE-862) that affects the REST API endpoints of the plugin. It has received a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, and can result in high impact to integrity (NVD).

The vulnerability allows unauthenticated attackers to perform unauthorized modifications to gift card data. Specifically, attackers can recharge gift card balances without making actual payments and reduce gift card balances without legitimate purchases, effectively creating an infinite money glitch (Wordfence).

Website administrators running the Ultimate Gift Cards for WooCommerce plugin should immediately update to a version newer than 3.0.6, which contains the security fix (Wordfence).