Vulnerabilities and security researches forultimate-product-catalogue ultimate-product-catalogue

May 12, 2026

CVE, Research URL: CVE-2021-47924
Home page URL: Security reports for Ultimate Product Catalog
Application: Ultimate Product Catalog
Date: May 10, 2026
Research Description: Ultimate Product Catalog 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed.
Affected versions: max 5.8.2.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2017-12200
Home page URL: Security reports for Ultimate Product Catalog
Application: Ultimate Product Catalog
Date: -
Research Description: The Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress has XSS in the Add Product Manually component.
Affected versions: max 4.2.11.
Status: vulnerable

CVE, Research URL: CVE-2017-12199
Home page URL: Security reports for Ultimate Product Catalog
Application: Ultimate Product Catalog
Date: -
Research Description: The Etoile Ultimate Product Catalog plugin 4.2.22 for WordPress has SQL injection with these wp-admin/admin-ajax.php POST actions: catalogue_update_order list-item, video_update_order video-item, image_update_order list-item, tag_group_update_order list_item, category_products_update_order category-product-item, custom_fields_update_order field-item, categories_update_order category-item, subcategories_update_order subcategory-item, and tags_update_order tag-list-item.
Affected versions: max 4.2.22.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2021-24993
Home page URL: Security reports for Ultimate Product Catalog
Application: Ultimate Product Catalog
Date: Feb 07, 2022
Research Description: The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example
Affected versions: max 2.1.1.
Status: vulnerable

CVE, Research URL: CVE-2023-2711
Home page URL: Security reports for Ultimate Product Catalog
Application: Ultimate Product Catalog
Date: Jun 27, 2023
Research Description: The Ultimate Product Catalog WordPress plugin before 5.2.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: max 5.2.6.
Status: vulnerable

CVE, Research URL: CVE-2024-31921
Home page URL: Security reports for Ultimate Product Catalog
Application: Ultimate Product Catalog
Date: Apr 15, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Etoile Web Design Ultimate Product Catalogue.This issue affects Ultimate Product Catalogue: from n/a through 5.2.15.
Affected versions: max 5.2.16.
Status: vulnerable