CVE-2026-24630

Vulnerability

Overview The Stylish Cost Calculator plugin for WordPress, versions up to and including 8.2.9, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables an attacker with sufficient privileges to inject arbitrary JavaScript or HTML payloads that are stored on the server and later executed in the browsers of visitors.

Exploitation

Conditions Exploitation requires a privileged user (e.g., an editor or administrator) to submit crafted input through the plugin's interface. The injected script is then stored and executed when any user visits the affected page, without requiring further interaction from the victim [1]. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites simultaneously.

Impact

Successful exploitation allows an attacker to perform actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing session cookies. The CVSS v3 base score is 6.5 (Medium), reflecting the need for authenticated access but the potential for widespread harm once the payload is stored [1].

Mitigation

The vendor has released version 8.3.1 which resolves the issue. Users are strongly advised to update immediately. For those unable to update, enabling auto-updates (if using Patchstack) or consulting a hosting provider is recommended [1].