CVE-2021-3120

CVE-2021-3120 is a critical-severity vulnerability in Yithemes Yith Woocommerce Gift Cards with a CVSS 3.x base score of 9.8. Its EPSS exploit-prediction score of 37% places it in the 98th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-434.

Key facts

Description

An arbitrary file upload vulnerability in the YITH WooCommerce Gift Cards Premium plugin before 3.3.1 for WordPress allows remote attackers to achieve remote code execution on the operating system in the security context of the web server. In order to exploit this vulnerability, an attacker must be able to place a valid Gift Card product into the shopping cart. An uploaded file is placed at a predetermined path on the web server with a user-specified filename and extension. This occurs because the ywgc-upload-picture parameter can have a .php value even though the intention was to only allow uploads of Gift Card images.

Frequently asked questions

What is CVE-2021-3120?
An arbitrary file upload vulnerability in the YITH WooCommerce Gift Cards Premium plugin before 3.3.1 for WordPress allows remote attackers to achieve remote code execution on the operating system in the security context of the web server. In order to exploit this vulnerability, an attacker must be able to place a valid Gift Card product into the shopping cart. An uploaded file is placed at a predetermined path on the web server with a user-specified filename and extension. This occurs because the ywgc-upload-picture parameter can have a .php value even though the intention was to only allow uploads of Gift Card images.
How severe is CVE-2021-3120?
CVE-2021-3120 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-3120 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 37% (98th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2021-3120?
CVE-2021-3120 affects Yithemes Yith Woocommerce Gift Cards. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2021-3120?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
When was CVE-2021-3120 published?
CVE-2021-3120 was published on 2021-02-22 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Yithemes Yith Woocommerce Gift Cards

All CVEs affecting Yithemes Yith Woocommerce Gift Cards →

Other CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities

Browse all CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities →