Stored Cross-Site Scripting Vulnerability in Product Video Gallery for Woocommerce by WordPress
CVE-2026-10104
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 2 July 2026
Badges
What is CVE-2026-10104?
The Product Video Gallery for Woocommerce plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in the custom_thumbnail parameter. Authenticated users with shop manager-level access can exploit this vulnerability to inject malicious scripts into web pages. When these pages are accessed by other users, the injected scripts are executed, potentially compromising user data and security.
Affected Version(s)
Product Video Gallery for Woocommerce 0 <= 1.5.1.8
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved