All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-10104
MEDIUMpublished 2026-07-02 10:16 UTC · 2 days ago · modified 2026-07-02 16:16 UTC
4.4
CVSS / 10
// description
The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom_thumbnail Parameter in all versions up to, and including, 1.5.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
// weaknesses (CWE)
- CWE-79
// references (8)
- https://plugins.trac.wordpress.org/browser/product-video-gallery-slider-for-woocommerce/tags/1.5.1.6/admin/class-video-field.php#L310
- https://plugins.trac.wordpress.org/browser/product-video-gallery-slider-for-woocommerce/tags/1.5.1.6/public/class-rendering.php#L365
- https://plugins.trac.wordpress.org/browser/product-video-gallery-slider-for-woocommerce/tags/1.5.1.6/public/class-rendering.php#L379
- https://plugins.trac.wordpress.org/browser/product-video-gallery-slider-for-woocommerce/tags/1.5.1.7/admin/class-video-field.php#L310