The vulnerability is a missing authorization flaw in the Stylemix Cost Calculator Builder plugin for WordPress. Because the plugin does not enforce proper access control, users who are not privileged can perform privileged actions—such as viewing, editing, or deleting calculators—by simply accessing the plugin’s endpoints. This flaw is classified as CWE‑862, indicating an insufficient authentication or authorization mechanism. The outcome is that an attacker could gain unauthorized access to configuration data or alter calculator settings, potentially compromising the integrity of the site’s financial calculations.

Affected software is the Stylemix Cost Calculator Builder plugin for WordPress. All releases from the origination point up to and including version 3.5.32 are impacted; earlier unspecified versions are also included in the “through <= 3.5.32” statement. The vendor is Stylemix. No specific sub‑components or versions within the plugin are singled out beyond the overall version range.

The CVSS score of 6.5 places this vulnerability in the medium severity range, and the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog, suggesting no widespread or actively leveraged exploits. The attack vector is likely remote, via HTTP requests to the plugin’s administrative endpoints, and an attacker would need to be able to target a WordPress site running a vulnerable version of the plugin. No evidence of a publicly available exploit is provided, so the practical risk depends on the attacker’s ability to reach the vulnerable site.