CVE-2025-58878
📋 TL;DR
This CSRF vulnerability in the Woocommerce Gifts Product WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. It affects all WordPress sites using the plugin version 1.0.0 or earlier. The vulnerability enables attackers to modify plugin settings or perform other administrative actions without the victim's knowledge.
💻 Affected Systems
- Woocommerce Gifts Product WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could reconfigure the plugin to disable security features, modify gift product settings to enable fraudulent transactions, or potentially chain with other vulnerabilities for further compromise.
Likely Case
Attackers would modify gift product settings to create fraudulent promotions, change pricing, or alter product availability, potentially leading to financial loss or customer dissatisfaction.
If Mitigated
With proper CSRF protections and user awareness, the risk is limited to unsuccessful attack attempts that get blocked by security controls.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users. No authentication bypass is needed as the attack leverages existing admin sessions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.0.0 (check WordPress plugin repository)
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Woocommerce Gifts Product'. 4. Click 'Update Now' if available. 5. If no update is available, deactivate and remove the plugin.
🔧 Temporary Workarounds
Implement CSRF Tokens
allAdd CSRF protection to all plugin admin forms using WordPress nonces
Restrict Admin Access
allLimit administrative access to trusted networks and implement multi-factor authentication
🧯 If You Can't Patch
- Deactivate and remove the Woocommerce Gifts Product plugin immediately
- Implement a web application firewall (WAF) with CSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Woocommerce Gifts Product' version 1.0.0 or earlierCheck Version:
wp plugin list --name='woo-gift-product' --field=version (if WP-CLI installed)Verify Fix Applied:
Verify plugin is either updated to version after 1.0.0 or completely removed from the system📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to plugin admin endpoints without referrer headers
- Unusual plugin configuration changes in WordPress logs
Network Indicators:
- Requests to /wp-admin/admin.php?page=woo-gift-product with suspicious referrers
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin.php" AND query_string="page=woo-gift-product") AND http_method="POST" AND NOT referrer CONTAINS own_domain