The WP Cost Calculator Builder is a widely used WordPress plugin that allows website owners to create dynamic pricing and estimation forms using an intuitive drag-and-drop interface. With over 20 flexible form elements and deep integration into e-commerce platforms like WooCommerce, it serves as a powerful tool for businesses that want to provide cost estimation on their services and products.
However, versions up to 3.2.74 of the plugin are vulnerable to a Stored Cross-Site Scripting (XSS) attack that allows malicious JavaScript code to be injected and persistently executed in the browser of any visitor who views the infected form.
| CVE | CVE-2025-48277 |
| Plugin | Cost Calculator Builder < 3.5.3 |
| Critical | High |
| All Time | 2 369 959 |
| Active installations | 30 000+ |
| Publicly Published | May 19, 2025 |
| Last Updated | May 19, 2025 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | CVE-2025-48277 https://patchstack.com/database/wordpress/plugin/cost-calculator-builder/vulnerability/wordpress-cost-calculator-builder-3-2-74-cross-site-scripting-xss-vulnerability |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| April 23, 2025 | Plugin testing and vulnerability detection in the Category Posts Widget have been completed |
| April 23, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| May 19, 2025 | Registered CVE-2025-48277 |
Discovery of the Vulnerability
The vulnerability was identified in the form creation process of the plugin. Specifically, when using the “Switch toggle” or checkbox element, the “Hint” field fails to properly sanitize user input. This makes it possible to inject arbitrary JavaScript code, which will be stored in the database and executed every time a visitor loads the page containing the affected calculator form
Understanding of XSS attack’s
Stored Cross-Site Scripting (XSS) is a vulnerability where malicious scripts are injected into a website and stored in the backend (e.g., database). Unlike reflected XSS, the payload persists and is delivered to every user who accesses the infected page or component.
In the WordPress ecosystem, XSS often targets:
- Admin dashboard elements
- Public-facing forms (comments, contact forms, calculators)
- Widgets and shortcodes
Real-world examples:
- An attacker injects
<script>alert(document.cookie)</script>into a form field. - Visitors or admins later see that content rendered, causing the browser to execute the script.
In this case, the plugin allows shortcode-based rendering of the calculator on any page or post. When the malicious payload is inserted into the form’s Hint field and rendered, any visitor who views that page will unknowingly execute the embedded JavaScript code.
Exploiting the XSS Vulnerability
To exploit CVE-2025-48277, an attacker with administrator+ privileges:
POC:
1) Access the WordPress dashboard and navigate to: Cost Calculator > Calculator 2) Create a new calculator: Click “+ New Blank Form” Name it and click “Create” 3) Add the vulnerable component: Select the "Switch toggle" or Checkbox element Scroll to the “Hint” field 4) Insert the XSS payload 5) Save the form and copy the generated shortcode 6) Create or edit a WordPress page/post and paste the shortcode 7) Visit the page – the JavaScript alert will execute____
This confirms that the XSS payload is stored and automatically executed for every visitor to the page.
Recommendations for Improved Security
Website administrators and plugin developers are advised to take the following actions:
For Website Owners:
- Update Immediately: Upgrade WP Cost Calculator Builder to the latest version where this issue is patched
- Audit Forms: Manually inspect any calculators created before patching for suspicious or unexpected content
- Use Web Application Firewalls (WAFs): Tools like Wordfence or Sucuri can help block malicious input at runtime
- Enforce Least Privilege: Restrict form creation and editing permissions to trusted users only
For Plugin Developers:
- Sanitize User Input: Escape HTML characters in all user-provided input fields
- Use
wp_ksesoresc_html(): Always sanitize form hints, labels, and dynamic values that are later rendered - Security Testing: Integrate vulnerability scanners and code reviews in your development lifecycle
- Bug Bounty: Consider offering rewards to researchers who report vulnerabilities responsibly
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-48277, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #Vulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.