CVE-2026-10104 in Product Video Gallery for Woocommerce Plugininfo

Summary

by MITRE • 07/02/2026

The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom_thumbnail Parameter in all versions up to, and including, 1.5.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/02/2026

The vulnerability identified in the Product Video Gallery for Woocommerce plugin represents a critical stored cross-site scripting flaw that undermines the security integrity of WordPress e-commerce environments. This weakness affects all versions up to and including 1.5.1.8, creating a persistent threat vector that can be exploited by authenticated attackers who possess shop manager privileges or higher access levels. The vulnerability stems from inadequate input sanitization mechanisms and insufficient output escaping procedures within the plugin's codebase, specifically concerning the custom_thumbnail parameter handling.

The technical implementation of this flaw allows malicious actors to inject arbitrary web scripts into the plugin's functionality through the custom_thumbnail parameter, which then gets stored within the system's database. When legitimate users access pages containing these malicious injections, the stored scripts execute automatically in their browsers, creating a persistent threat that can affect multiple users over time. This stored nature of the vulnerability differentiates it from reflected XSS attacks and makes it particularly dangerous as the malicious code remains active until manually removed from the system.

From an operational perspective, this vulnerability creates significant risks for e-commerce platforms relying on WordPress with Woocommerce functionality. Shop managers and other privileged users who can modify product information become potential vectors for attack, allowing adversaries to compromise customer sessions, steal sensitive data, or redirect users to malicious sites. The impact extends beyond simple script execution as it can facilitate more sophisticated attacks such as session hijacking, credential theft, or the deployment of additional malware through the compromised user browsers.

The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, and it maps directly to ATT&CK technique T1566.002 related to spearphishing attachments that can be used to establish initial access. Organizations should prioritize immediate remediation through plugin updates to version 1.5.1.9 or later, while implementing additional security measures such as input validation filters, output escaping mechanisms, and regular security audits of third-party plugins. Network monitoring should also be enhanced to detect anomalous script injection patterns, and privileged user access should be strictly controlled through multi-factor authentication and least-privilege principles.

Mitigation strategies must include comprehensive code review of the plugin's parameter handling procedures, implementation of robust input sanitization routines, and enforcement of proper output escaping for all dynamic content. Security teams should also consider implementing web application firewalls that can detect and block malicious script injection attempts, while maintaining detailed logging of user activities within the Woocommerce administration interface. Regular security assessments of WordPress plugins and themes remain essential to prevent similar vulnerabilities from being introduced through third-party components in the e-commerce ecosystem.

Responsible

Wordfence

Reservation

05/29/2026

Disclosure

07/02/2026

Moderation

accepted

CPE

ready

EPSS

0.00263

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!