Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stylemix Cost Calculator Builder cost-calculator-builder allows Stored XSS.This issue affects Cost Calculator Builder: from n/a through <= 3.2.65.
Published: 2025-03-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that permits stored cross‑site scripting. An attacker can embed arbitrary scripts that are saved within the plugin and subsequently served to other site users, resulting in client‑side code execution and potential compromise of confidentiality or integrity of user data.

Affected Systems

The issue affects the Stylemix Cost Calculator Builder WordPress plugin up through version 3.2.65. Any WordPress site that has a vulnerable version of this plugin is at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests the probability of real‑world exploitation is currently low, and the flaw is not listed in the CISA KEV catalog. Stored XSS may not require authentication, but the available data does not specify whether authentication is required, so this condition cannot be confirmed. Once stored, the malicious script will execute in the browsers of subsequent visitors to the affected pages, enabling client‑side code execution.

Generated by OpenCVE AI on May 2, 2026 at 08:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cost Calculator Builder plugin to a version newer than 3.2.65 to apply the vendor’s fix.
  • If an upgrade is not immediately possible, deactivate or remove the plugin from the site to eliminate the stored payload vector.
  • Deploy a Web Application Firewall or configure a content‑security‑policy to detect and block injected scripts and monitor site traffic for XSS attempts.

Generated by OpenCVE AI on May 2, 2026 at 08:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8705 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stylemix Cost Calculator Builder allows Stored XSS. This issue affects Cost Calculator Builder: from n/a through 3.2.65.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stylemix Cost Calculator Builder allows Stored XSS. This issue affects Cost Calculator Builder: from n/a through 3.2.65. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stylemix Cost Calculator Builder cost-calculator-builder allows Stored XSS.This issue affects Cost Calculator Builder: from n/a through <= 3.2.65.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 31 Mar 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 13:00:00 +0000

Type Values Removed Values Added
Title WordPress Cost Calculator Builder plugin <= 3.2.65 - Cross Site Scripting (XSS) vulnerability

Mon, 31 Mar 2025 06:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stylemix Cost Calculator Builder allows Stored XSS. This issue affects Cost Calculator Builder: from n/a through 3.2.65.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:06.218Z

Reserved: 2025-03-28T10:59:52.731Z

Link: CVE-2025-31414

cve-icon Vulnrichment

Updated: 2025-03-31T12:51:14.706Z

cve-icon NVD

Status : Deferred

Published: 2025-03-31T06:15:31.317

Modified: 2026-04-23T15:27:47.180

Link: CVE-2025-31414

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:45:38Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')