A live attack, a previously undocumented vulnerability, and a coordinated disclosure that helped protect WooCommerce stores.

A live WooCommerce compromise led to the discovery of a previously undocumented vulnerability in a popular paid plugin. Through coordinated disclosure with Patchstack, the issue was reported, patched, and published as CVE-2026-45444.

The discovery

On May 18, 2026, an attacker compromised a live WordPress site running the premium Gift Cards for WooCommerce Pro plugin by WP Swings. The site was running a current version of the plugin, yet the attacker was still able to exploit it.

During the investigation, Monarx Principal Security Engineer Joe Bruno identified that this was not a known issue being reused, but a previously undocumented vulnerability affecting the plugin. The flaw allowed an unauthenticated attacker to upload files directly to the web server.

What the attacker did

Once inside, the attacker moved quickly and deliberately. At a high level, the intrusion unfolded like this:

• Got in through the front door. A flaw in the gift-card plugin let them upload a malicious file without any authentication.
• Established a foothold. They planted several pieces of custom malware — tools our system had never seen before, several of which appeared to be AI-generated to evade detection.
• Reached for the data. They deployed database-access tooling and a custom utility designed to slip past firewall protections.
• Dug in for the long haul. They quietly activated legitimate plugins in ways that can create hidden administrator accounts, then staged a full backup of the site for exfiltration.

Forensic traces — including a status message written in Chinese (“备份任务已启动。”, “Backup task has started”) — suggested a capable, deliberate operator rather than an opportunistic scan.

Why this vulnerability was different

Plugins get vulnerabilities patched all the time, and most attacks reuse known weaknesses. This was not one of those. There was an older, related advisory for this plugin family (CVE-2024-8425), but it covered a different function and had already been fixed long ago. The site in question was running a newer release that should have been safe.

In other words, this was a true zero-day — a live, undisclosed vulnerability present in the current version of the plugin, being actively exploited in the wild, with no public record and no patch available. Because the underlying tools were novel and dual-use (the kind of utilities that can look legitimate at a glance), this is exactly the class of threat that slips past signature-based defenses.

From discovery to disclosure

Identifying the vulnerability was only the first step. To protect the wider WordPress ecosystem, the issue needed to be responsibly disclosed, validated, patched by the plugin author, and assigned an official CVE.

Monarx worked with Patchstack, one of the leading WordPress vulnerability research and disclosure organizations, to submit the vulnerability and coordinate the disclosure process. Patchstack helped manage communication with the plugin author, support the release of a fix, and publish the public advisory.

The result was CVE-2026-45444, credited to Joe Bruno of Monarx. Patchstack reported the issue on May 19 and published the advisory on May 20, 2026, along with a mitigation rule to shield their customers while site owners updated.

The numbers at a glance

• Vulnerability: Unauthenticated Arbitrary File Upload
• CVE ID: CVE-2026-45444
• Severity: CVSS 10.0 (Critical) — the maximum possible score
• Affected plugin: Gift Cards for WooCommerce Pro by WP Swings
• Vulnerable versions: 4.2.6 and earlier
• Fixed in: Version 4.2.7
• Status: Known to be exploited in the wild
• Discovered by: Joe Bruno, Principal Security Engineer, Monarx
• Disclosure partner: Patchstack

What store owners should do

• Update immediately. If you use Gift Cards for WooCommerce Pro, update to version 4.2.7 or later immediately.
• Assume compromise on older versions. If your site was running version 4.2.6 or earlier, it is also worth reviewing administrator accounts, rotating credentials, checking for unfamiliar files, and looking for recently activated plugins that you do not recognize.
• Disable until patched. If you cannot update right away, deactivate the plugin until the fix is in place.
• Layer your defenses. This case is also a reminder that security should not rely on plugin updates alone. Runtime protection and server-level monitoring can help detect suspicious behavior, novel tooling, and post-exploitation activity that may not match known signatures.

From discovery to protection

A real-world attack led to the discovery of a previously undocumented vulnerability. Through responsible disclosure with Patchstack, that finding became a patch, a public CVE, and wider protection for WooCommerce store owners.

For site owners, the takeaway is simple: update quickly, monitor closely, and do not assume that “fully updated” always means fully protected.

Learn more about the advisory: CVE-2026-45444 on Patchstack.