Skip to main content

Cost Calculator Builder

8 CVEs product

Monthly

CVE-2026-10865 MEDIUM This Month

Plaintext payment gateway secret key exposure in the Cost Calculator Builder WordPress plugin (all versions ≤ 4.0.11) allows any unauthenticated remote visitor to harvest Stripe, Razorpay, and PayPal merchant credentials directly from page HTML source. The plugin embeds live API secret keys in the frontend template body when the 'use in all calculators' global payment gateway option is active, making those keys readable without any authentication or special tooling. While the assigned CVSS score is 5.3 (Medium), the practical impact is business-critical: extracted secret keys grant full programmatic control over the merchant's payment accounts, enabling unauthorized charges, refunds, and access to stored customer payment data. No public exploit or CISA KEV listing is identified at time of analysis.

WordPress Information Disclosure Cost Calculator Builder
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2025-14757 MEDIUM PATCH This Month

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via wi...

WordPress Cost Calculator Builder PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-10892 MEDIUM POC This Month

The Cost Calculator Builder WordPress plugin before 3.2.43 does not have CSRF checks in some AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Cost Calculator Builder
NVD WPScan
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-8379 HIGH POC This Week

The Cost Calculator Builder WordPress plugin before 3.2.29 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Cost Calculator Builder
NVD WPScan
CVSS 3.1
7.2
EPSS
0.5%
CVE-2024-6010 MEDIUM This Month

The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Cost Calculator Builder
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-43144 CRITICAL POC Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Cost Calculator Builder allows SQL Injection.2.15. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Cost Calculator Builder
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2024-6012 MEDIUM PATCH This Month

The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'embed-create-page' and 'embed-insert-pages' functions in. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Cost Calculator Builder
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-6011 MEDIUM POC PATCH This Month

The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textarea.description’ parameter in all versions up to, and including, 3.2.12 due to insufficient. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. Public exploit code available.

WordPress XSS Cost Calculator Builder
NVD
CVSS 3.1
4.4
EPSS
0.4%
EPSS 0% CVSS 5.3
MEDIUM This Month

Plaintext payment gateway secret key exposure in the Cost Calculator Builder WordPress plugin (all versions ≤ 4.0.11) allows any unauthenticated remote visitor to harvest Stripe, Razorpay, and PayPal merchant credentials directly from page HTML source. The plugin embeds live API secret keys in the frontend template body when the 'use in all calculators' global payment gateway option is active, making those keys readable without any authentication or special tooling. While the assigned CVSS score is 5.3 (Medium), the practical impact is business-critical: extracted secret keys grant full programmatic control over the merchant's payment accounts, enabling unauthorized charges, refunds, and access to stored customer payment data. No public exploit or CISA KEV listing is identified at time of analysis.

WordPress Information Disclosure Cost Calculator Builder
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via wi...

WordPress Cost Calculator Builder PHP
NVD
EPSS 0% CVSS 5.4
MEDIUM POC This Month

The Cost Calculator Builder WordPress plugin before 3.2.43 does not have CSRF checks in some AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Cost Calculator Builder
NVD WPScan
EPSS 1% CVSS 7.2
HIGH POC This Week

The Cost Calculator Builder WordPress plugin before 3.2.29 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Cost Calculator Builder
NVD WPScan
EPSS 0% CVSS 5.3
MEDIUM This Month

The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Cost Calculator Builder
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Cost Calculator Builder allows SQL Injection.2.15. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Cost Calculator Builder
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'embed-create-page' and 'embed-insert-pages' functions in. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Cost Calculator Builder
NVD
EPSS 0% CVSS 4.4
MEDIUM POC PATCH This Month

The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textarea.description’ parameter in all versions up to, and including, 3.2.12 due to insufficient. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. Public exploit code available.

WordPress XSS Cost Calculator Builder
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy