CVE-2025-66091

The Stylish Cost Calculator plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting (XSS) due to improper neutralization of user-supplied input during web page generation [1]. This flaw exists in versions up to and including 8.1.5, where the plugin fails to adequately sanitize or escape input before outputting it in the DOM.

Exploitation requires user interaction, such as a privileged user clicking a malicious link or visiting a crafted page [1]. This means an attacker would need to trick a user with elevated privileges (e.g., an administrator) into performing an action that triggers the vulnerability. Once triggered, the malicious script executes within the context of the user's browser session.

Successful exploitation allows an attacker to inject arbitrary scripts, which can be used to redirect visitors to malicious sites, display advertisements, or deliver other HTML payloads [1]. When other guests visit the affected page, the injected script executes, potentially leading to further compromise or data theft.

Mitigation is straightforward: update the plugin to version 8.1.6 or later, which resolves the vulnerability [1]. Users are advised to apply the update immediately to protect their sites from potential attacks.