Stored Cross-Site Scripting in Ultimate Product Catalog by Etoile Web Design
CVE-2021-47924

5.1MEDIUM

Key Information:

Vendor: WordPress
Status: Ultimate Product Catalog
Vendor: CVE Published:; 10 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2021-47924?

A stored cross-site scripting (XSS) vulnerability has been identified in version 5.8.2 of the Ultimate Product Catalog, allowing authenticated users to inject malicious HTML or JavaScript into the product's price field. This vulnerability can be exploited through crafted POST requests to the post.php endpoint. When the affected product page is accessed, arbitrary scripts execute within the context of the user's session, potentially leading to severe security compromises.

Affected Version(s)

Ultimate Product Catalog 5.8.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-47924 - Proof of Concept

References

https://www.exploit-db.com/exploits/50534

exploit

https://www.etoilewebdesign.com

product

https://wordpress.org/plugins/ultimate-product-catalogue/

product

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 10, 2026
👾
Exploit known to exist
May 10, 2026
Vulnerability published
May 10, 2026
Vulnerability Reserved
Feb 1, 2026

Credit

Murat DEMIRCI (@murat0x7)

CVE-2021-47924 Data

JSON

WordPress

Badges

What is CVE-2021-47924?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit