Skip to main content

Stylish Cost Calculator EUVDEUVD-2026-39684

| CVE-2026-54847 HIGH
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-7j85-cm6p-6v5x
7.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network endpoint with no user interaction yields AV:N/AC:L/PR:N/UI:N; broken access control discloses protected data so C:H with I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:37 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Stylish Cost Calculator <= 8.3.9 versions.

AnalysisAI

Unauthorized data exposure in the Stylish Cost Calculator WordPress plugin (versions 8.3.9 and earlier) lets remote unauthenticated attackers reach functionality that should be access-controlled, exposing sensitive information. Reported through Patchstack and classified as a broken access control / missing authorization flaw (CWE-862), it carries a CVSS 7.5 with confidentiality-only impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Stylish Cost Calculator
Exploit
Send unauthenticated request to plugin endpoint
Execution
Bypass missing authorization check
Impact
Retrieve protected data

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target WordPress site has the Stylish Cost Calculator plugin (version <= 8.3.9) installed and active, with its endpoints reachable over the network - no authentication, no special configuration, and no user interaction are needed (PR:N/UI:N/AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partially complete and broadly consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has not authenticated sends a crafted HTTP request directly to the plugin's vulnerable AJAX or REST endpoint on a target WordPress site and receives data or invokes functionality that should require login or specific capabilities. Given AV:N/AC:L/PR:N/UI:N, this requires only network reachability and no special timing, privileges, or victim interaction. …
Remediation Upgrade the Stylish Cost Calculator plugin to a release newer than 8.3.9; the input identifies 8.3.9 and earlier as vulnerable but does not specify the exact fixed version, so confirm the patched build via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/stylish-cost-calculator/vulnerability/wordpress-stylish-cost-calculator-plugin-8-3-9-broken-access-control-vulnerability?_s_id=cve) and the WordPress plugin changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Search WordPress plugin inventory and security scanning tools for Stylish Cost Calculator versions 8.3.9 and earlier; identify all affected installations and their exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39684 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy