Description
Ultimate Product Catalogue 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ultimate Product Catalogue 5.8.2 contains a stored cross‑site scripting flaw that allows an authenticated user to inject malicious scripts through the price parameter. By sending a crafted POST request to the plugin’s post.php endpoint, the malicious payload is stored with the product. When any visitor loads the product page, the embedded script executes in the visitor’s browser, potentially enabling actions such as cookie theft, session hijacking, or navigation to malicious sites.

Affected Systems

WordPress installations that have installed Etoilewebdesign’s Ultimate Product Catalog plugin version 5.8.2 and that permit users to edit product prices are vulnerable. The flaw exists only in this specific version and depends on the plugin’s lack of sanitization for the price input.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score of 0.00047 (<1%) indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a valid authenticated account with permission to edit product prices and the ability to submit a POST request to post.php. Once the payload is stored, it executes each time the product page is viewed by any user.

Generated by OpenCVE AI on May 28, 2026 at 17:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ultimate Product Catalog plugin to the latest version that addresses the XSS issue.
  • If an upgrade cannot be performed immediately, restrict or disable price editing permissions for non‑administrator roles to eliminate the input vector.
  • Apply server‑side validation or sanitization to the price field to strip HTML and JavaScript before storing or displaying the value.

Generated by OpenCVE AI on May 28, 2026 at 17:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Ultimate Product Catalog 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed. Ultimate Product Catalogue 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed.
Title WordPress Plugin Ultimate Product Catalog 5.8.2 Stored XSS via price WordPress Plugin Ultimate Product Catalogue 5.8.2 Stored XSS via price

Tue, 12 May 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Ultimate Product Catalog 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed.
Title WordPress Plugin Ultimate Product Catalog 5.8.2 Stored XSS via price
First Time appeared Etoilewebdesign
Etoilewebdesign ultimate Product Catalog
Weaknesses CWE-79
CPEs cpe:2.3:a:etoilewebdesign:ultimate_product_catalog:5.8.2:*:*:*:*:*:*:*
Vendors & Products Etoilewebdesign
Etoilewebdesign ultimate Product Catalog
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Etoilewebdesign Ultimate Product Catalog
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-28T14:41:08.339Z

Reserved: 2026-02-01T11:24:18.715Z

Link: CVE-2021-47924

cve-icon Vulnrichment

Updated: 2026-05-12T02:37:26.902Z

cve-icon NVD

Status : Deferred

Published: 2026-05-10T13:16:28.307

Modified: 2026-05-28T16:16:19.950

Link: CVE-2021-47924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T17:15:21Z

Weaknesses