SQL Injection vulnerability in Digincube mdgiftproduct prior to 1.4.1 allows an malicious user to run arbitrary SQL commands via the MdGiftRule::addGiftToCart method.