Description
The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5.
Published: 2026-01-31
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows unauthenticated attackers to inject scripts executed by site administrators
Action: Apply Patch
AI Analysis

Impact

The Sell BTC – Cryptocurrency Selling Calculator plugin for WordPress contains a stored cross‑site scripting vulnerability in the orderform_data AJAX action in all releases up to and including 1.5. Because the input is not properly sanitised and the output is not escaped, an unauthenticated attacker can store arbitrary JavaScript in order records, which will run whenever a WordPress administrator opens the Orders page. The vulnerability is not limited to authenticated users and can be triggered by any visitor to the site.

Affected Systems

Any WordPress installation that has the hayyatapps Sell BTC – Cryptocurrency Selling Calculator plugin installed with a version less than or equal to 1.5 is affected. The vulnerability specifically involves the plugin’s order handling functionality and the orderform_data AJAX endpoint.

Risk and Exploitability

The CVSS v3.1 base score is 7.2, indicating a high impact. The EPSS score is under 1 %, meaning the likelihood of exploitation is currently low but not zero. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely without authentication by sending a specially crafted AJAX request to orderform_data, which writes malicious script to the database. When the administrator later views the Orders page, the stored script executes in the admin context. The low EPSS suggests a moderate threat status, yet the potential for privilege escalation warrants proactive remediation.

Generated by OpenCVE AI on April 22, 2026 at 03:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the hayyatapps Sell BTC – Cryptocurrency Selling Calculator plugin to the latest patched version that eliminates the stored‑XSS flaw.
  • If an upgrade cannot be performed immediately, restrict unauthenticated access to the orderform_data AJAX endpoint by blocking that URL for non‑logged‑in users or by applying a web‑application firewall rule.
  • Implement strict input validation and output escaping on any custom order fields to ensure that future updates cannot introduce similar XSS issues.

Generated by OpenCVE AI on April 22, 2026 at 03:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 31 Jan 2026 13:45:00 +0000

Type Values Removed Values Added
Description The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5.
Title Sell BTC - Cryptocurrency Selling Calculator <= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'orderform_data' AJAX Action
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:40.665Z

Reserved: 2025-12-12T01:37:39.254Z

Link: CVE-2025-14554

cve-icon Vulnrichment

Updated: 2026-02-02T16:26:41.957Z

cve-icon NVD

Status : Deferred

Published: 2026-01-31T14:16:59.983

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:45:06Z

Weaknesses