← back
CVE-2021-47924

WordPress Plugin Ultimate Product Catalogue 5.8.2 Stored XSS via price

CVSS 5.1 MEDIUMEPSS 0.3%CWE-79
Ultimate Product Catalogue 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
Etoilewebdesign · Ultimate Product Catalogue
public PoCs found1
cve_referencewww.exploit-db.com/exploits/50534unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wordpress.org/plugins/ultimate-product-catalogue/https://www.etoilewebdesign.comhttps://www.exploit-db.com/exploits/50534https://www.vulncheck.com/advisories/wordpress-plugin-ultimate-product-catalog-stored-xss-via-price