CVE-2021-47924 Wordpress CVE debrief

Who should care

WordPress site owners and administrators running the Ultimate Product Catalog plugin, especially sites where authenticated users can add or edit catalog entries. Security teams should pay attention if product data is user-generated or if multiple roles can manage catalog content.

Technical summary

The supplied NVD-based record identifies CWE-79 and describes a stored XSS condition in Ultimate Product Catalog 5.8.2. The issue is triggered through POST submissions to post.php, where the price field can carry HTML or JavaScript that is later rendered in a product view. The vulnerability requires authentication and user interaction, which is reflected in the CVSS vector.

Defensive priority

Medium. Remediate promptly if the plugin is installed and authenticated users can create or edit products, because stored XSS can impact any viewer of the poisoned entry.

Recommended defensive actions

• Inventory WordPress installations to confirm whether Ultimate Product Catalog is present and which version is deployed.
• Update or replace the plugin if a fixed version is available from the vendor or WordPress plugin repository.
• Restrict who can create or edit catalog items, especially roles allowed to submit product prices.
• Review product data validation and output encoding for fields that are rendered back into HTML.
• Inspect existing catalog entries for unexpected markup or script content in the price field.
• Apply web application monitoring or WAF rules to detect suspicious POST submissions to post.php and repeated attempts to inject script payloads.

Evidence notes

The supplied source corpus includes an NVD record marked 'Received' with CWE-79 and a CVSS v4 vector indicating network access, low attack complexity, low privileges, and user interaction. The record’s references point to the WordPress plugin page, the vendor site, and a VulnCheck advisory. No exploit details are used beyond the description provided in the source record.

Official resources