Skip to main content

eCommerce Product Catalog CVE-2026-57360

| EUVDEUVD-2026-41359 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-3mg3-686g-v244
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network XSS (AV:N/PR:N) needs victim click (UI:R); script escapes plugin context (S:C) with limited browser-scoped C/I/A impact, matching the reported 7.1.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:17 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in eCommerce Product Catalog <= 3.5.4 versions.

AnalysisAI

Cross-site scripting in the implecode eCommerce Product Catalog WordPress plugin (all versions through 3.5.4) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser session, with no login required (PR:N) but a user interaction step to trigger the payload (UI:R). Reported by Patchstack and rated CVSS 7.1, the scope-changing flaw can hijack administrator or shopper sessions on affected online stores. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious XSS payload for catalog parameter
Delivery
Deliver poisoned link or product page to victim
Exploit
Victim with active session opens page (UI:R)
Execution
Injected JavaScript executes in browser (S:C)
Persist
Steal session cookies / perform actions as victim
Impact
Hijack administrator account or store data

Vulnerability AssessmentAI

Exploitation Exploitation requires an unauthenticated attacker to deliver a crafted request/input to the eCommerce Product Catalog plugin (versions <= 3.5.4) and, critically, requires user interaction (UI:R) - a victim must open the malicious link or view the attacker-poisoned catalog/product page for the injected script to execute. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L yields a 7.1 (High) driven by network reach, low complexity, and no authentication, but tempered by the required user interaction (UI:R) and only Low confidentiality/integrity/availability impacts typical of XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or catalog input containing a malicious JavaScript payload targeting the vulnerable plugin parameter and emails or links it to a store administrator or logged-in shopper. When the victim opens the link or views the poisoned product page (UI:R), the script executes in their browser and steals session cookies or performs actions as that user, potentially leading to admin-account takeover. …
Remediation No vendor-released patch version is identified at time of analysis; the input specifies affected versions '<= 3.5.4' but no confirmed fixed release, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/ecommerce-product-catalog/vulnerability/wordpress-ecommerce-product-catalog-plugin-3-5-4-cross-site-scripting-xss-vulnerability) and the WordPress plugin repository for any release above 3.5.4 and upgrade immediately once confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress instances for implecode plugin presence and identify affected versions; disable the plugin if operationally feasible or restrict public store access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57360 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy