CVE-2025-31781: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in the Gift Cards for WooCommerce WordPress plugin, affecting versions up to and including 1.5.8. The vulnerability was discovered by researcher Kévin Mosbahi (Mika) and was assigned CVE-2025-31781. The issue was reported on December 7, 2024, and publicly disclosed on April 1, 2025 (Patchstack, WPScan).

The vulnerability is classified as a Broken Access Control issue (CWE-862) due to missing authorization checks in certain functions. It received a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The security flaw allows unauthenticated attackers to perform unauthorized actions due to incorrectly configured access control security levels (Patchstack).

The vulnerability enables unauthenticated attackers to execute certain privileged actions within the plugin's functionality. The impact is considered low to medium severity, primarily affecting the integrity of the system through unauthorized access to protected functions (WPScan).

No official fix is currently available for this vulnerability. The software is considered abandoned as it hasn't been updated for over a year. Security experts recommend removing and replacing the plugin with an alternative solution to mitigate the security risk (Patchstack).