The vulnerability is an improper neutralization of special elements used in an SQL command, which allows an attacker to inject arbitrary SQL statements. This flaw can enable unauthorized read, update, or deletion of database records, potentially exposing sensitive information such as user data, site configurations, or payment details. The weakness is classified as CWE-89 and represents a high‑impact security risk for any WordPress site using the affected plugin.

The Stylemix Cost Calculator Builder WordPress plugin versions up to and including 3.2.65 are vulnerable. The issue originates in the Cost Calculator Builder, a plugin that enables front‑end cost calculations on WordPress sites.

The CVSS score of 9.3 marks this flaw as critical, and the EPSS score of less than 1% indicates that active, widespread exploitation is unlikely at present, though the vulnerability is not present on CISA’s KEV list. Based on the plugin’s public form fields, the attack vector is inferred to be a network‑accessible web request that does not require user authentication, using crafted input to achieve SQL injection. An attacker could run arbitrary database queries or modify data, potentially leading to data loss or broader compromise if additional privileges are obtained.