CVE-2025-54046

Vulnerability

Overview

The Cost Calculator plugin for WordPress (ql-cost-calculator) versions up to and including 7.4 contain a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML-encode malicious scripts that persist on the server and execute when other users visit affected pages.

Exploitation

Details

Exploitation requires a privileged user role (e.g., administrator or editor) to perform an action such as clicking a crafted link or submitting a form [1]. The attacker does not need direct access to the site but must convince a privileged user to interact with the malicious payload. Once stored, the injected script executes in the context of any visitor's browser session.

Impact

Successful exploitation allows an attacker to inject arbitrary scripts, including redirects, advertisements, or other HTML payloads, into the website [1]. This can lead to data theft, session hijacking, or defacement, and is considered moderately dangerous. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of sites regardless of size or popularity.

Mitigation

The vendor has released version 7.5 which resolves the vulnerability [1]. Users are strongly advised to update immediately. If updating is not possible, a mitigation rule from Patchstack can block attacks until the update is applied [1].