CVE-2021-47924

MEDIUM 6.4

WordPress Plugin Ultimate Product Catalog 5.8.2 Stored XSS via price

CVSS Score

6.4

EPSS Score

0.0%

EPSS Percentile

13th

Ultimate Product Catalog 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed.

CWE	CWE-79
Vendor	etoilewebdesign
Product	ultimate product catalog
Published	May 10, 2026
Last Updated	May 12, 2026

Stay Ahead of the Next One

Get instant alerts for etoilewebdesign ultimate product catalog

Be the first to know when new medium vulnerabilities affecting etoilewebdesign ultimate product catalog are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

None

Affected Versions

Etoilewebdesign / Ultimate Product Catalog

5.8.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/50534 etoilewebdesign.com: https://www.etoilewebdesign.com wordpress.org: https://wordpress.org/plugins/ultimate-product-catalogue/ vulncheck.com: https://www.vulncheck.com/advisories/wordpress-plugin-ultimate-product-catalog-stored-xss-via-price

Credits

Murat DEMIRCI (@murat0x7)