Description
Ultimate Product Catalog 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ultimate Product Catalog 5.8.2 contains a stored cross‑site scripting flaw that allows an authenticated user to inject arbitrary HTML or JavaScript into the price field. By sending a crafted POST request to the plugin’s post.php endpoint, the malicious payload is stored with the product. When any visitor loads the product page, the embedded script executes in the visitor’s browser, potentially enabling actions such as cookie theft, session hijacking, or navigation to malicious sites.

Affected Systems

WordPress installations that have installed Etoilewebdesign’s Ultimate Product Catalog plugin version 5.8.2 and that permit users to edit product prices are vulnerable. The flaw exists only in this specific version and depends on the plugin’s lack of sanitization for the price input.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a valid authenticated account with permission to edit product prices and the ability to submit a POST request to post.php. Once the payload is stored, it executes each time the product page is viewed by any user.

Generated by OpenCVE AI on May 10, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ultimate Product Catalog plugin to the latest version that addresses the XSS issue.
  • If an upgrade cannot be performed immediately, restrict or disable price editing permissions for non‑administrator roles to eliminate the input vector.
  • Apply server‑side validation or sanitization to the price field to strip HTML and JavaScript before storing or displaying the value.

Generated by OpenCVE AI on May 10, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Ultimate Product Catalog 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed.
Title WordPress Plugin Ultimate Product Catalog 5.8.2 Stored XSS via price
First Time appeared Etoilewebdesign
Etoilewebdesign ultimate Product Catalog
Weaknesses CWE-79
CPEs cpe:2.3:a:etoilewebdesign:ultimate_product_catalog:5.8.2:*:*:*:*:*:*:*
Vendors & Products Etoilewebdesign
Etoilewebdesign ultimate Product Catalog
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Etoilewebdesign Ultimate Product Catalog
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:43:46.712Z

Reserved: 2026-02-01T11:24:18.715Z

Link: CVE-2021-47924

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:28.307

Modified: 2026-05-10T13:16:28.307

Link: CVE-2021-47924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:45:15Z

Weaknesses