Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network XSS (AV:N/PR:N) needs victim click (UI:R); script escapes plugin context (S:C) with limited browser-scoped C/I/A impact, matching the reported 7.1.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in eCommerce Product Catalog <= 3.5.4 versions.
AnalysisAI
Cross-site scripting in the implecode eCommerce Product Catalog WordPress plugin (all versions through 3.5.4) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser session, with no login required (PR:N) but a user interaction step to trigger the payload (UI:R). Reported by Patchstack and rated CVSS 7.1, the scope-changing flaw can hijack administrator or shopper sessions on affected online stores. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an unauthenticated attacker to deliver a crafted request/input to the eCommerce Product Catalog plugin (versions <= 3.5.4) and, critically, requires user interaction (UI:R) - a victim must open the malicious link or view the attacker-poisoned catalog/product page for the injected script to execute. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L yields a 7.1 (High) driven by network reach, low complexity, and no authentication, but tempered by the required user interaction (UI:R) and only Low confidentiality/integrity/availability impacts typical of XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or catalog input containing a malicious JavaScript payload targeting the vulnerable plugin parameter and emails or links it to a store administrator or logged-in shopper. When the victim opens the link or views the poisoned product page (UI:R), the script executes in their browser and steals session cookies or performs actions as that user, potentially leading to admin-account takeover. … |
| Remediation | No vendor-released patch version is identified at time of analysis; the input specifies affected versions '<= 3.5.4' but no confirmed fixed release, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/ecommerce-product-catalog/vulnerability/wordpress-ecommerce-product-catalog-plugin-3-5-4-cross-site-scripting-xss-vulnerability) and the WordPress plugin repository for any release above 3.5.4 and upgrade immediately once confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress instances for implecode plugin presence and identify affected versions; disable the plugin if operationally feasible or restrict public store access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Ecommerce Product Catalog
View allThe eCommerce Product Catalog Plugin for WordPress plugin before 3.0.39 does not escape the ic-settings-search parameter
Unauthenticated SQL injection in the implecode eCommerce Product Catalog WordPress plugin (versions 3.5.5 and earlier) a
The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in v
The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in v
The eCommerce Product Catalog Plugin for WordPress plugin before 3.3.26 does not have CSRF checks in some of its admin p
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in impleCode eCommerce Product Catalog Plugin f
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in impleCode eCommerc
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
The eCommerce Product Catalog plugin for WordPress is vulnerable to Stored Cross-Site Scripting via some of its settings
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41359
GHSA-3mg3-686g-v244