CVE-2021-47924 Overview
CVE-2021-47924 is a stored cross-site scripting (XSS) vulnerability in the Ultimate Product Catalog WordPress plugin version 5.8.2, developed by Etoile Web Design. Authenticated attackers can inject malicious HTML or JavaScript through the price parameter when submitting POST requests to post.php. The injected payload is stored in the product record and executes in the browser of any user who views the affected product page. The vulnerability is categorized under CWE-79: Improper Neutralization of Input During Web Page Generation.
Critical Impact
Authenticated attackers can persist arbitrary JavaScript in product listings, enabling session hijacking, credential theft, and administrative account compromise when victims load the catalog.
Affected Products
- Ultimate Product Catalog WordPress plugin version 5.8.2
- Etoile Web Design Ultimate Product Catalogue (ultimate-product-catalogue)
- WordPress sites running the vulnerable plugin release
Discovery Timeline
- 2026-05-10 - CVE-2021-47924 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2021-47924
Vulnerability Analysis
The vulnerability stems from missing output encoding and input sanitization on the price field of the Ultimate Product Catalog plugin. When an authenticated user submits a product through post.php, the application accepts arbitrary HTML and JavaScript content in the price parameter and stores it directly in the WordPress database. The stored value is later rendered into the product display without context-appropriate escaping. Because the payload persists server-side, every visitor who loads the affected product triggers script execution under the site's origin. The flaw requires only low privileges and minimal user interaction from the victim, making it useful for lateral compromise of higher-privileged accounts such as administrators.
Root Cause
The root cause is improper neutralization of user-supplied input written to a page that is later served to other users. The price parameter is expected to contain a numeric or currency value, yet the plugin enforces no type validation, allowlist filtering, or HTML entity encoding. The stored data path bypasses WordPress sanitization helpers such as sanitize_text_field() and wp_kses(), so script tags and event handlers survive intact through database storage and rendering.
Attack Vector
An attacker authenticates to the WordPress site with any account that has product submission rights. The attacker sends a POST request to post.php containing a payload such as <script>...</script> or an event-handler attribute in the price field. The plugin stores the product, and the payload executes in the browser of any administrator or visitor who subsequently views the catalog. This enables session theft, forced administrative actions, and follow-on account takeover. A public proof of concept is available at Exploit-DB #50534 and the VulnCheck Advisory on WordPress XSS.
Detection Methods for CVE-2021-47924
Indicators of Compromise
- Product records in the WordPress database containing HTML tags, <script> blocks, or on* event handler attributes in the price column.
- POST requests to post.php with price parameter values that include angle brackets, JavaScript URIs, or encoded script payloads.
- Outbound browser requests from administrator sessions to unfamiliar domains immediately after viewing the product catalog.
Detection Strategies
- Inspect web server access logs for POST requests to /wp-admin/post.php where body content includes script-like patterns in the price field.
- Query the WordPress wp_postmeta and plugin-specific tables for stored price values that fail a strict numeric or currency regular expression.
- Deploy a web application firewall rule that flags non-numeric content submitted to the Ultimate Product Catalog price parameter.
Monitoring Recommendations
- Alert on new or modified product entries created by non-administrator accounts on sites running ultimate-product-catalogue.
- Monitor administrator session anomalies such as unexpected cookie exfiltration or privilege changes following catalog page visits.
- Track plugin version inventory across WordPress estates and flag installations pinned at 5.8.2 or earlier.
How to Mitigate CVE-2021-47924
Immediate Actions Required
- Update the Ultimate Product Catalog plugin to a release later than 5.8.2 via the WordPress Plugin Catalog.
- Audit existing product entries for HTML or JavaScript content in the price field and remove malicious payloads.
- Rotate administrator credentials and invalidate active sessions if exploitation is suspected.
Patch Information
Refer to the vendor at Etoile Web Design and the plugin listing on the WordPress repository for the latest fixed release. Apply the most recent plugin version that includes input validation and output encoding for the price parameter. Verify the update by confirming that submitted HTML in the price field is rendered as escaped text rather than executed markup.
Workarounds
- Restrict product submission capabilities to trusted administrator accounts until the plugin is patched.
- Deploy a Content Security Policy that disallows inline scripts on catalog pages to reduce stored XSS execution.
- Add a WAF rule that rejects POST requests to post.php where the price parameter contains <, >, or javascript: substrings.
# Example ModSecurity rule to block non-numeric price submissions
SecRule ARGS:price "!@rx ^[0-9]+(\.[0-9]{1,2})?$" \
"id:1004792,phase:2,deny,status:403,\
msg:'CVE-2021-47924: Non-numeric value in Ultimate Product Catalog price parameter'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
