The vulnerability is a stored XSS that occurs when the plugin fails to properly neutralize user input during page generation. Injected script is rendered on subsequent page loads when the affected data is displayed. This can cause arbitrary JavaScript to run in the browsers of any site visitor or administrator, enabling cookie theft, session hijacking, defacement, or further exploitation. The weakness matches CWE‑79, where input validation is insufficient.

It affects the WordPress Cost Calculator plugin developed by QuanticaLabs, any installation running version 7.4 or earlier. Websites that have installed these plugin versions are vulnerable. The flaw impacts all users who view content that incorporates the stored data, which may include all logged‑in users or visitors, depending on site configuration.

The CVSS score of 6.5 denotes moderate severity. An EPSS score below 1% implies a low probability of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. Attackers would need to insert malicious content via the plugin’s storage interface; the necessity of admin access is inferred, not directly stated. Once stored, the malicious script is served to any user loading the affected page, making it potentially high impact to user browsers.