Description
The Fintelligence Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fintelligence-calculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-03
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Fintelligence Calculator WordPress plugin is vulnerable to a stored cross‑site scripting flaw that can be triggered through the "fintelligence‑calculator" shortcode when an authenticated user supplies unfiltered attributes. Because the plugin does not sanitize or escape user input, an attacker with contributor‑level or higher access can embed arbitrary JavaScript in a page, causing it to execute whenever any user views that content. This weakness can lead to information disclosure, session hijacking, or malicious code execution on the victim’s browser, consistent with CWE‑79.

Affected Systems

This issue affects ambitioncloud’s Fintelligence Calculator plugin for WordPress in all versions up to and including 1.0.3. Users who have installed these versions and have contributed content are potentially impacted.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low current exploitation probability, though this does not eliminate the risk. Because the flaw requires authenticated contributor access, attackers who can obtain such credentials (e.g., through credential compromise or social engineering) can inject malicious scripts that run in the browsers of all visitors to the affected pages. The vulnerability is not listed in CISA’s KEV catalog, yet the potential for widespread damage makes it a significant concern for sites that rely on this plugin.

Generated by OpenCVE AI on April 21, 2026 at 02:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Fintelligence Calculator plugin to a version newer than 1.0.3 as soon as one is released or uninstall the plugin if it is not required.
  • If an upgrade is unavailable, restrict the shortcode’s usage to administrator‑level users only or disable the shortcode altogether for contributors.
  • Configure a web‑application firewall or use a security plugin to block cross‑site scripting attacks on page content, ensuring that any user‑supplied attributes are properly sanitized before rendering.

Generated by OpenCVE AI on April 21, 2026 at 02:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32259 The Fintelligence Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fintelligence-calculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Fintelligence Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fintelligence-calculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Fintelligence Calculator <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:18.920Z

Reserved: 2025-09-02T15:42:48.813Z

Link: CVE-2025-9859

cve-icon Vulnrichment

Updated: 2025-10-03T14:04:40.481Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:49.263

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9859

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:45:25Z

Weaknesses