CVE-2026-10104

MEDIUM

Product Video Gallery for Woocommerce <= 1.5.1.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via custom_thumbnail Parameter

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-10104. PoCs published by Ravi-lk.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-10104, a stored XSS vulnerability in the Product Video Gallery for WooCommerce plugin (≤1.5.1.6). The vulnerability arises from insufficient sanitization of the `custom_thumbnail` parameter, allowing authenticated attackers with product editing privileges to inject malicious JavaScript via HTML event handlers, which executes for any visitor viewing the affected product page.

Description

The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom_thumbnail Parameter in all versions up to, and including, 1.5.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Exploits (1)

github WRITEUP
by Ravi-lk · poc
https://github.com/Ravi-lk/CVE-2026-10104-POC

This repository provides a detailed technical analysis of CVE-2026-10104, a stored XSS vulnerability in the Product Video Gallery for WooCommerce plugin (≤1.5.1.6). The vulnerability arises from insufficient sanitization of the `custom_thumbnail` parameter, allowing authenticated attackers with product editing privileges to inject malicious JavaScript via HTML event handlers, which executes for any visitor viewing the affected product page.

Classification
Writeup 99%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Product Video Gallery for WooCommerce ≤1.5.1.6
Auth required
Prerequisites: WordPress with WooCommerce installed · Product Video Gallery for WooCommerce plugin ≤1.5.1.6 · A WooCommerce product with a configured video URL · Authenticated access with product editing privileges (e.g., Shop Manager, Author)
mistral-large-3 · analyzed Jul 05, 2026 Full analysis →

Scores

CVSS v3 4.4
EPSS 0.0026
EPSS Percentile 17.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
nikhilgadhiya/Product Video Gallery for Woocommerce < 1.5.1.8
Published Jul 02, 2026
Tracked Since Jul 02, 2026