Product Video Gallery For Woocommerce
Monthly
Stored Cross-Site Scripting in the Product Video Gallery for WooCommerce WordPress plugin (versions ≤ 1.5.1.8) allows authenticated shop managers to persist malicious JavaScript via the custom_thumbnail parameter, which then executes in the browsers of any visitor accessing an affected product page. The CVSS scope-change flag (S:C) confirms the injected payload crosses security boundaries from the attacker's session into victims' browser contexts. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog, but the PR:H requirement is the primary limiting factor for real-world risk - any compromise of a shop manager account would make this trivially exploitable.
Stored Cross-Site Scripting in the Product Video Gallery for WooCommerce WordPress plugin (versions ≤ 1.5.1.8) allows authenticated shop managers to persist malicious JavaScript via the custom_thumbnail parameter, which then executes in the browsers of any visitor accessing an affected product page. The CVSS scope-change flag (S:C) confirms the injected payload crosses security boundaries from the attacker's session into victims' browser contexts. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog, but the PR:H requirement is the primary limiting factor for real-world risk - any compromise of a shop manager account would make this trivially exploitable.