Skip to main content

price-calc WordPress Plugin CVE-2025-28891

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-11 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:45 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 21:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in jazzigor price-calc allows Stored XSS. This issue affects price-calc: from n/a through 0.6.3.

AnalysisAI

Stored XSS can be injected into price-calc WordPress plugin (versions up to 0.6.3) via CSRF attack vector, allowing attackers to execute malicious scripts in administrator browsers when authenticated users are tricked into visiting attacker-controlled pages. This chained vulnerability (CSRF enabling XSS) affects sites with authenticated administrative users and can lead to account compromise, privilege escalation, or malicious site modifications. EPSS score of 0.05% (14th percentile) indicates low probability of widespread exploitation, though the attack requires only user interaction (CVSS UI:R) rather than authentication from the attacker perspective.

Technical ContextAI

This vulnerability chains two distinct weaknesses: Cross-Site Request Forgery (CWE-352) as the initial vector that enables Stored XSS injection. The price-calc WordPress plugin fails to implement CSRF tokens (nonces) on administrative functions that accept user input, allowing attackers to craft malicious requests that administrators unknowingly execute. These forged requests inject persistent JavaScript payloads into the plugin's stored data (likely price calculation configurations or templates). When other users or administrators access pages rendering this stored data, the malicious scripts execute in their browser context. The CVSS scope change (S:C) indicates the vulnerability escapes the plugin's security boundary to affect WordPress core or other components, typical of XSS attacks that can access cookies, session tokens, and perform actions across the entire administrative interface.

Affected ProductsAI

WordPress price-calc plugin versions from earliest release through 0.6.3 are confirmed vulnerable per Patchstack advisory. The vulnerability affects all WordPress installations running these plugin versions regardless of WordPress core version or hosting environment. CPE data not provided in vulnerability disclosure. Complete affected version range and patch status available at Patchstack database entry: https://patchstack.com/database/wordpress/plugin/price-calc/vulnerability/wordpress-price-calc-plugin-0-6-3-csrf-to-stored-xss-vulnerability

RemediationAI

Upgrade price-calc plugin to version 0.6.4 or later if available, verifying from the official WordPress plugin repository or vendor advisory that CSRF protections and input sanitization have been implemented. Patchstack advisory at https://patchstack.com/database/wordpress/plugin/price-calc/vulnerability/wordpress-price-calc-plugin-0-6-3-csrf-to-stored-xss-vulnerability provides patch confirmation and mitigation guidance. If immediate upgrade is not feasible, implement compensating controls: restrict plugin administrative functions to specific trusted IP addresses via web application firewall rules (trade-off: legitimate remote administrators cannot access configuration); disable the price-calc plugin entirely until patched if pricing calculator functionality is non-critical (trade-off: loss of business functionality); implement Content Security Policy headers to restrict inline JavaScript execution, reducing XSS impact (trade-off: may break legitimate plugin features relying on inline scripts); educate WordPress administrators to avoid clicking external links while logged into admin panel (trade-off: relies on human behavior, not technical control).

Share

CVE-2025-28891 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy