CVE-2021-24875

MEDIUM NUCLEI

WordPress eCommerce Product Catalog <3.0.39 - XSS

Title source: llm

Exploitation Summary

CVE-2021-24875 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

The eCommerce Product Catalog Plugin for WordPress plugin before 3.0.39 does not escape the ic-settings-search parameter before outputting it back in the page in an attribute, leading to a Reflected Cross-Site Scripting issue

Nuclei Templates (1)

WordPress eCommerce Product Catalog <3.0.39 - Cross-Site Scripting

MEDIUMVERIFIEDby r3Y3r53

References (1)

Core 1

Core References

Third Party Advisory x_refsource_misc

https://wpscan.com/vulnerability/652efc4a-f931-4668-ae74-a58b288a5715

Scores

CVSS v3 6.1

EPSS 0.0155

EPSS Percentile 71.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

implecode/ecommerce_product_catalog < 3.0.39

Published Nov 23, 2021

Tracked Since Feb 18, 2026