Platform
wordpress
Component
cost-calculator-builder
Opgelost in
3.2.66
CVE-2025-39587 describes a SQL Injection vulnerability discovered in Stylemix Cost Calculator Builder. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data and compromising the WordPress site. The vulnerability affects versions from 0.0.0 up to and including 3.2.65, and a patch is available in version 3.2.66.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication, read sensitive data from the database (such as user credentials, financial information, or configuration details), modify data, or even execute arbitrary commands on the server. The blast radius extends to any data stored within the Cost Calculator Builder's database, potentially impacting the entire WordPress site. While no specific real-world exploitation has been publicly reported, SQL Injection vulnerabilities are consistently among the most exploited web application flaws, and this one’s critical severity underscores the potential for significant damage.
CVE-2025-39587 was publicly disclosed on 2025-04-17. Its CRITICAL CVSS score indicates a high probability of exploitation. No public proof-of-concept exploits are currently available, but the vulnerability’s nature and severity make it a likely target for attackers. It is not currently listed on the CISA KEV catalog.
Websites using Cost Calculator Builder, particularly those with sensitive data stored in the database or those running older, unpatched versions. Shared hosting environments are at increased risk due to the potential for cross-site contamination.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/cost-calculator-builder/• generic web:
curl -I 'https://your-website.com/cost-calculator-builder/?param='; # Check for SQL injection indicators in response headersdisclosure
Exploit Status
EPSS
0.23% (46% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to immediately upgrade Cost Calculator Builder to version 3.2.66 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and sanitization on all user-supplied data used in SQL queries. Web Application Firewalls (WAFs) configured to detect and block SQL Injection attempts can also provide a layer of protection. Review Cost Calculator Builder’s configuration for any insecure database connection settings. After upgrading, confirm the vulnerability is resolved by attempting a SQL Injection attack via a vulnerable parameter and verifying that it is blocked.
Actualice el plugin Cost Calculator Builder a una versión corregida. Consulte las notas de la versión del plugin para obtener instrucciones específicas sobre cómo aplicar la actualización y mitigar la vulnerabilidad de inyección SQL.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-39587 is a critical SQL Injection vulnerability in Stylemix Cost Calculator Builder allowing attackers to inject malicious SQL code and potentially access sensitive data.
You are affected if you are using Cost Calculator Builder versions 0.0.0 through 3.2.65. Upgrade to 3.2.66 to mitigate the risk.
Upgrade Cost Calculator Builder to version 3.2.66 or later. Implement input validation and WAF rules as temporary workarounds if immediate upgrade is not possible.
While no active exploitation has been publicly confirmed, the vulnerability’s severity suggests a high likelihood of future attacks.
Refer to the Stylemix Cost Calculator Builder website and WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.