Stylemixthemes Cost Calculator Builder vulnerabilities
8 known vulnerabilities affecting stylemixthemes/cost_calculator_builder.
Total CVEs
8
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM6
Vulnerabilities
Page 1 of 1
CVE-2024-43144P2CRITICALCVSS 9.8PoCfixed in 3.2.16≥ n/a, ≤ 3.2.152024-08-29
CVE-2024-43144 [CRITICAL] CWE-89 CVE-2024-43144: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Cost Calculator Builder allows SQL Injection.This issue affects Cost Calculator Builder: from n/a through 3.2.15.
nvd
CVE-2024-8379P3HIGHCVSS 7.2fixed in 3.2.292024-09-30
CVE-2024-8379 [HIGH] CWE-89 CVE-2024-8379: The Cost Calculator Builder WordPress plugin before 3.2.29 does not properly sanitise and escape a p
The Cost Calculator Builder WordPress plugin before 3.2.29 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.
nvd
CVE-2025-14757P4MEDIUMCVSS 5.3fixed in 3.6.102026-01-16
CVE-2025-14757 [MEDIUM] CWE-862 CVE-2025-14757: The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Byp
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the
nvd
CVE-2024-6010P4MEDIUMCVSS 5.3≤ 3.1.962024-09-07
CVE-2024-6010 [MEDIUM] CWE-472 CVE-2024-6010: The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all vers
The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.2.1. This is due to the plugin allowing the price field to be manipulated prior to processing via the 'create_cc_order' function, called from the Cost Calculator Builder plugin. This makes it possible for unauthenticated att
nvd
CVE-2023-40011P4MEDIUMCVSS 5.4≥ n/a, ≤ 3.1.422024-12-13
CVE-2023-40011 [MEDIUM] CWE-862 CVE-2023-40011: Missing Authorization vulnerability in StylemixThemes Cost Calculator Builder allows Exploiting Inco
Missing Authorization vulnerability in StylemixThemes Cost Calculator Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cost Calculator Builder: from n/a through 3.1.42.
nvd
CVE-2024-6012P4MEDIUMCVSS 4.3fixed in 3.2.132024-07-02
CVE-2024-6012 [MEDIUM] CWE-862 CVE-2024-6012: The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data
The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'embed-create-page' and 'embed-insert-pages' functions in all versions up to, and including, 3.2.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary
nvd
CVE-2024-10892P4MEDIUMCVSS 5.4fixed in 3.2.432024-12-18
CVE-2024-10892 [MEDIUM] CWE-352 CVE-2024-10892: The Cost Calculator Builder WordPress plugin before 3.2.43 does not have CSRF checks in some AJAX ac
The Cost Calculator Builder WordPress plugin before 3.2.43 does not have CSRF checks in some AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.
nvd
CVE-2024-6011P4MEDIUMCVSS 4.8fixed in 3.2.132024-07-02
CVE-2024-6011 [MEDIUM] CWE-79 CVE-2024-6011: The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th
The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textarea.description’ parameter in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary
nvd