Skip to main content

Product Video Gallery For Woocommerce

1 CVEs product

Monthly

CVE-2026-10104 MEDIUM This Month

Stored Cross-Site Scripting in the Product Video Gallery for WooCommerce WordPress plugin (versions ≤ 1.5.1.8) allows authenticated shop managers to persist malicious JavaScript via the custom_thumbnail parameter, which then executes in the browsers of any visitor accessing an affected product page. The CVSS scope-change flag (S:C) confirms the injected payload crosses security boundaries from the attacker's session into victims' browser contexts. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog, but the PR:H requirement is the primary limiting factor for real-world risk - any compromise of a shop manager account would make this trivially exploitable.

WordPress XSS Product Video Gallery For Woocommerce
NVD
CVSS 3.1
4.4
EPSS
0.3%
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Product Video Gallery for WooCommerce WordPress plugin (versions ≤ 1.5.1.8) allows authenticated shop managers to persist malicious JavaScript via the custom_thumbnail parameter, which then executes in the browsers of any visitor accessing an affected product page. The CVSS scope-change flag (S:C) confirms the injected payload crosses security boundaries from the attacker's session into victims' browser contexts. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog, but the PR:H requirement is the primary limiting factor for real-world risk - any compromise of a shop manager account would make this trivially exploitable.

WordPress XSS Product Video Gallery For Woocommerce
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy