Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10104

CVE-2026-10104: WordPress Product Video Gallery XSS Flaw

CVE-2026-10104 is a stored cross-site scripting vulnerability in the Product Video Gallery for WooCommerce WordPress plugin. Attackers with shop manager access can inject malicious scripts via the custom_thumbnail parameter.

Published:

CVE-2026-10104 Overview

CVE-2026-10104 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting the Product Video Gallery for WooCommerce plugin for WordPress. The flaw exists in all versions up to and including 1.5.1.8. It stems from insufficient input sanitization and output escaping on the custom_thumbnail parameter. Authenticated attackers with shop manager privileges or higher can inject arbitrary web scripts into pages. The injected payload executes in the browser of any user who visits an affected page. The vulnerability is tracked with a CVSS 3.1 score of 4.4 and was published on July 2, 2026.

Critical Impact

Attackers with shop manager access can inject persistent JavaScript that executes in visitors' browsers, enabling session theft, credential harvesting, or administrative action abuse via a compromised store staff account.

Affected Products

  • Product Video Gallery for WooCommerce plugin for WordPress
  • All versions through 1.5.1.8
  • WordPress sites running WooCommerce with the affected plugin enabled

Discovery Timeline

  • 2026-07-02 - CVE-2026-10104 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-10104

Vulnerability Analysis

The plugin allows shop managers and higher-privileged users to configure video gallery entries associated with WooCommerce products. When storing the custom_thumbnail parameter, the plugin fails to sanitize input on write and does not escape output on render. Attacker-supplied HTML and JavaScript persist in the database and are served to any user viewing the product page. Because the payload is stored, exploitation does not require repeated attacker action. Any visitor rendering the injected page becomes a target, including store administrators. The relevant code paths reside in admin/class-video-field.php and public/class-rendering.php. Attackers must be authenticated, and exploitation requires shop manager-level access, limiting the scope to insiders or accounts compromised through phishing or credential reuse.

Root Cause

The root cause is missing input validation on the custom_thumbnail field during save and missing output escaping when the value is rendered. Neither sanitize_text_field() nor esc_attr() / esc_url() were applied where user input crosses the trust boundary. See WordPress Plugin Admin Class and WordPress Plugin Public Rendering L365 for the vulnerable rendering paths.

Attack Vector

An authenticated shop manager submits a crafted custom_thumbnail value containing HTML attributes or a script payload through the plugin's admin interface. The value is written to the WordPress options or postmeta store without sanitization. When a frontend visitor loads the affected product page, the injected content is emitted directly into the DOM and executes in the visitor's browser context. See the Wordfence Vulnerability Report for additional analysis. No verified exploit code is publicly available.

Detection Methods for CVE-2026-10104

Indicators of Compromise

  • Unexpected <script>, onerror, onload, or javascript: strings stored in WooCommerce product metadata related to video gallery entries.
  • Outbound requests from visitor browsers to unfamiliar domains when loading product pages.
  • Modifications to video gallery configuration by shop manager accounts outside normal business hours.

Detection Strategies

  • Audit the wp_postmeta and plugin option tables for values associated with custom_thumbnail containing HTML tags or event handlers.
  • Deploy a web application firewall rule that inspects POST requests to plugin admin endpoints for XSS payload patterns.
  • Review WordPress audit logs for shop manager accounts editing product video gallery fields.

Monitoring Recommendations

  • Enable Content Security Policy (CSP) reporting to surface script executions from unexpected origins on product pages.
  • Monitor privileged WordPress role activity, especially shop manager and administrator sessions.
  • Alert on plugin file changes and unauthorized version rollbacks.

How to Mitigate CVE-2026-10104

Immediate Actions Required

  • Update the Product Video Gallery for WooCommerce plugin to a version later than 1.5.1.8 once released by the vendor.
  • Review all existing custom_thumbnail values in the database and remove any containing script tags or event handlers.
  • Audit shop manager accounts and enforce strong authentication and multi-factor authentication (MFA) on all privileged WordPress roles.

Patch Information

The vendor addressed the vulnerable code paths in admin/class-video-field.php and public/class-rendering.php. Refer to the WordPress Plugin ChangeSet Details for the fix commit and to the WordPress Plugin Admin Class Update for the updated sanitization logic.

Workarounds

  • Temporarily deactivate the Product Video Gallery for WooCommerce plugin until a patched version is installed.
  • Restrict shop manager role assignments and remove the capability from accounts that do not require it.
  • Deploy a WAF rule blocking HTML and JavaScript payloads in requests targeting the plugin's admin-ajax and REST endpoints.
bash
# Configuration example: identify suspicious custom_thumbnail values via WP-CLI
wp db query "SELECT post_id, meta_key, meta_value FROM wp_postmeta \
  WHERE meta_key LIKE '%custom_thumbnail%' \
  AND (meta_value LIKE '%<script%' \
       OR meta_value LIKE '%onerror=%' \
       OR meta_value LIKE '%javascript:%');

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.