Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Design Stylish Cost Calculator stylish-cost-calculator allows DOM-Based XSS.This issue affects Stylish Cost Calculator: from n/a through <= 8.1.5.
Published: 2025-11-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that results in a DOM‑Based Cross Site Scripting (XSS) flaw. An attacker can supply crafted data that is reflected or processed by the browser, allowing the execution of arbitrary JavaScript in the context of the victim’s session. This can lead to session hijacking, defacement, or the execution of phishing attacks, compromising confidentiality, integrity and availability of the affected web application.

Affected Systems

The issue affects the WordPress plugin Stylish Cost Calculator, version 8.1.5 and earlier. The plugin is distributed by Design:Stylish Cost Calculator and is used on WordPress sites that incorporate the cost calculator widget.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5, indicating a moderate severity. The EPSS score is less than 1 %, suggesting a low likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack vector is client‑side; a malicious link or page that includes crafted payloads can trigger the XSS on any user who visits the page. No privileged access or server‑side code execution is required for exploitation.

Generated by OpenCVE AI on April 29, 2026 at 11:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Stylish Cost Calculator to version 8.1.6 or later.
  • Remove or disable the plugin if it is not required for site functionality.
  • Apply input validation and sanitization rules on the client side, or use a Web Application Firewall rule to block reflected XSS payloads.

Generated by OpenCVE AI on April 29, 2026 at 11:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Design
Design stylish Cost Calculator
Wordpress
Wordpress wordpress
Vendors & Products Design
Design stylish Cost Calculator
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Design Stylish Cost Calculator stylish-cost-calculator allows DOM-Based XSS.This issue affects Stylish Cost Calculator: from n/a through <= 8.1.5.
Title WordPress Stylish Cost Calculator plugin <= 8.1.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Design Stylish Cost Calculator
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:07:01.753Z

Reserved: 2025-11-21T11:21:04.795Z

Link: CVE-2025-66091

cve-icon Vulnrichment

Updated: 2025-11-21T17:42:04.114Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T13:15:50.400

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-66091

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:45:10Z

Weaknesses