price-calc WordPress Plugin CVE-2025-28891
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in jazzigor price-calc allows Stored XSS. This issue affects price-calc: from n/a through 0.6.3.
AnalysisAI
Stored XSS can be injected into price-calc WordPress plugin (versions up to 0.6.3) via CSRF attack vector, allowing attackers to execute malicious scripts in administrator browsers when authenticated users are tricked into visiting attacker-controlled pages. This chained vulnerability (CSRF enabling XSS) affects sites with authenticated administrative users and can lead to account compromise, privilege escalation, or malicious site modifications. EPSS score of 0.05% (14th percentile) indicates low probability of widespread exploitation, though the attack requires only user interaction (CVSS UI:R) rather than authentication from the attacker perspective.
Technical ContextAI
This vulnerability chains two distinct weaknesses: Cross-Site Request Forgery (CWE-352) as the initial vector that enables Stored XSS injection. The price-calc WordPress plugin fails to implement CSRF tokens (nonces) on administrative functions that accept user input, allowing attackers to craft malicious requests that administrators unknowingly execute. These forged requests inject persistent JavaScript payloads into the plugin's stored data (likely price calculation configurations or templates). When other users or administrators access pages rendering this stored data, the malicious scripts execute in their browser context. The CVSS scope change (S:C) indicates the vulnerability escapes the plugin's security boundary to affect WordPress core or other components, typical of XSS attacks that can access cookies, session tokens, and perform actions across the entire administrative interface.
Affected ProductsAI
WordPress price-calc plugin versions from earliest release through 0.6.3 are confirmed vulnerable per Patchstack advisory. The vulnerability affects all WordPress installations running these plugin versions regardless of WordPress core version or hosting environment. CPE data not provided in vulnerability disclosure. Complete affected version range and patch status available at Patchstack database entry: https://patchstack.com/database/wordpress/plugin/price-calc/vulnerability/wordpress-price-calc-plugin-0-6-3-csrf-to-stored-xss-vulnerability
RemediationAI
Upgrade price-calc plugin to version 0.6.4 or later if available, verifying from the official WordPress plugin repository or vendor advisory that CSRF protections and input sanitization have been implemented. Patchstack advisory at https://patchstack.com/database/wordpress/plugin/price-calc/vulnerability/wordpress-price-calc-plugin-0-6-3-csrf-to-stored-xss-vulnerability provides patch confirmation and mitigation guidance. If immediate upgrade is not feasible, implement compensating controls: restrict plugin administrative functions to specific trusted IP addresses via web application firewall rules (trade-off: legitimate remote administrators cannot access configuration); disable the price-calc plugin entirely until patched if pricing calculator functionality is non-critical (trade-off: loss of business functionality); implement Content Security Policy headers to restrict inline JavaScript execution, reducing XSS impact (trade-off: may break legitimate plugin features relying on inline scripts); educate WordPress administrators to avoid clicking external links while logged into admin panel (trade-off: relies on human behavior, not technical control).
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today