CVE-2021-47924

MEDIUM 6.4

WordPress Plugin Ultimate Product Catalogue 5.8.2 Stored XSS via price

CVSS Score

6.4

EPSS Score

0.0%

EPSS Percentile

15th

Ultimate Product Catalogue 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed.

CWE	CWE-79
Vendor	etoilewebdesign
Product	ultimate product catalogue
Published	May 10, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for etoilewebdesign ultimate product catalogue

Be the first to know when new medium vulnerabilities affecting etoilewebdesign ultimate product catalogue are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Etoilewebdesign / Ultimate Product Catalogue

5.8.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/50534 etoilewebdesign.com: https://www.etoilewebdesign.com wordpress.org: https://wordpress.org/plugins/ultimate-product-catalogue/ vulncheck.com: https://www.vulncheck.com/advisories/wordpress-plugin-ultimate-product-catalog-stored-xss-via-price

Credits

Murat DEMIRCI (@murat0x7)