Platform
wordpress
Component
cost-calculator-builder
Fixed in
3.2.66
CVE-2025-39587 describes a SQL Injection vulnerability discovered in Stylemix Cost Calculator Builder. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data and compromising the WordPress site. The vulnerability affects versions from 0.0.0 up to and including 3.2.65, and a patch is available in version 3.2.66.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication, read sensitive data from the database (such as user credentials, financial information, or configuration details), modify data, or even execute arbitrary commands on the server. The blast radius extends to any data stored within the Cost Calculator Builder's database, potentially impacting the entire WordPress site. While no specific real-world exploitation has been publicly reported, SQL Injection vulnerabilities are consistently among the most exploited web application flaws, and this one’s critical severity underscores the potential for significant damage.
CVE-2025-39587 was publicly disclosed on 2025-04-17. Its CRITICAL CVSS score indicates a high probability of exploitation. No public proof-of-concept exploits are currently available, but the vulnerability’s nature and severity make it a likely target for attackers. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.23% (46% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade Cost Calculator Builder to version 3.2.66 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and sanitization on all user-supplied data used in SQL queries. Web Application Firewalls (WAFs) configured to detect and block SQL Injection attempts can also provide a layer of protection. Review Cost Calculator Builder’s configuration for any insecure database connection settings. After upgrading, confirm the vulnerability is resolved by attempting a SQL Injection attack via a vulnerable parameter and verifying that it is blocked.
Update the Cost Calculator Builder plugin to a patched version. Refer to the plugin's release notes for specific instructions on how to apply the update and mitigate the SQL Injection vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-39587 is a critical SQL Injection vulnerability in Stylemix Cost Calculator Builder allowing attackers to inject malicious SQL code and potentially access sensitive data.
You are affected if you are using Cost Calculator Builder versions 0.0.0 through 3.2.65. Upgrade to 3.2.66 to mitigate the risk.
Upgrade Cost Calculator Builder to version 3.2.66 or later. Implement input validation and WAF rules as temporary workarounds if immediate upgrade is not possible.
While no active exploitation has been publicly confirmed, the vulnerability’s severity suggests a high likelihood of future attacks.
Refer to the Stylemix Cost Calculator Builder website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.