Attack Vectors

GiftXtore – Luxury Jewelry & Gift Store Elementor WooCommerce WordPress Theme (slug: bw-giftxtore) has a Critical vulnerability (CVSS 9.8) tracked as CVE-2025-28888.

The issue is unauthenticated, meaning an attacker does not need a login to attempt exploitation. In practical terms, this can be targeted directly over the internet against any site running GiftXtore versions up to and including 1.7.5, increasing risk for public-facing eCommerce sites and marketing landing pages that prioritize uptime and conversion.

Security Weakness

This vulnerability is a Local File Inclusion (LFI). According to the published advisory, it can allow unauthenticated attackers to include and execute arbitrary files on the server, enabling execution of PHP code contained in those files.

In business terms, LFI weaknesses can become an “entry point” to bypass access controls, retrieve sensitive data, or escalate into full site takeover—especially in environments where files can be uploaded (even if they appear to be “safe” types) and then included by the vulnerable theme logic. Details and tracking are available via Wordfence’s record: Wordfence Vulnerability Intelligence.

Remediation: Update GiftXtore to version 1.7.6 or a newer patched version.

Technical or Business Impacts

Because the severity is Critical and exploitation does not require authentication, the potential impacts can be immediate and high-consequence for brand, revenue, and compliance:

Operational disruption: Attackers may be able to take control of the site’s behavior, causing outages, defacement, checkout interruptions, or injected redirects that reduce conversion rates and damage paid-media performance.

Data exposure: If sensitive information becomes accessible through file inclusion, it can create breach notification obligations and increase legal, contractual, and regulatory risk (especially where customer data, order details, or internal configuration information is involved).

Fraud and reputational harm: A compromised storefront can be used for phishing, skimming, or malicious scripts that erode customer trust—often discovered first by customers, ad platforms, or payment providers rather than internal teams.

Recovery costs: Incident response, forensic review, restoration, and hardening efforts can quickly exceed the cost of prevention—along with potential lost revenue during remediation and ad campaign pauses.

Similar Attacks

LFI and closely related file-path weaknesses have repeatedly been used in real-world attacks because they can enable sensitive data access or remote code execution:

CVE-2019-19781 (Citrix ADC / NetScaler) – a widely exploited path traversal issue that enabled attackers to access files and achieve code execution in many environments.

CVE-2020-1938 (Ghostcat / Apache Tomcat AJP) – a flaw that could allow reading server files and, in certain scenarios, enable further compromise.

CVE-2021-41773 (Apache HTTP Server) – a path traversal vulnerability that could expose sensitive files and, depending on configuration, contribute to deeper compromise.