WordPress Cost Calculator Builder plugin <= 3.2.65 - SQL Injection Vulnerability
traduzindo…Plataforma
wordpress
Componente
cost-calculator-builder
Corrigido em
3.2.66
CVE-2025-39587 describes a SQL Injection vulnerability discovered in Stylemix Cost Calculator Builder. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data and compromising the WordPress site. The vulnerability affects versions from 0.0.0 up to and including 3.2.65, and a patch is available in version 3.2.66.
Detecte esta CVE no seu projeto
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Impacto e Cenários de Ataquetraduzindo…
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication, read sensitive data from the database (such as user credentials, financial information, or configuration details), modify data, or even execute arbitrary commands on the server. The blast radius extends to any data stored within the Cost Calculator Builder's database, potentially impacting the entire WordPress site. While no specific real-world exploitation has been publicly reported, SQL Injection vulnerabilities are consistently among the most exploited web application flaws, and this one’s critical severity underscores the potential for significant damage.
Contexto de Exploraçãotraduzindo…
CVE-2025-39587 was publicly disclosed on 2025-04-17. Its CRITICAL CVSS score indicates a high probability of exploitation. No public proof-of-concept exploits are currently available, but the vulnerability’s nature and severity make it a likely target for attackers. It is not currently listed on the CISA KEV catalog.
Quem Está em Riscotraduzindo…
Websites using Cost Calculator Builder, particularly those with sensitive data stored in the database or those running older, unpatched versions. Shared hosting environments are at increased risk due to the potential for cross-site contamination.
Passos de Detecçãotraduzindo…
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/cost-calculator-builder/• generic web:
curl -I 'https://your-website.com/cost-calculator-builder/?param='; # Check for SQL injection indicators in response headersLinha do Tempo do Ataque
- Disclosure
disclosure
Inteligência de Ameaças
Status do Exploit
EPSS
0.23% (percentil 46%)
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Alterado — o ataque pode pivotar para além do componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Nenhum — sem impacto na integridade.
- Availability
- Baixo — negação de serviço parcial ou intermitente.
Software Afetado
Informações do pacote
- Instalações ativas
- 30KPopular
- Avaliação do plugin
- 4.5
- Requer WordPress
- 6.2+
- Compatível até
- 7.0
- Requer PHP
- 8.3+
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation is to immediately upgrade Cost Calculator Builder to version 3.2.66 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and sanitization on all user-supplied data used in SQL queries. Web Application Firewalls (WAFs) configured to detect and block SQL Injection attempts can also provide a layer of protection. Review Cost Calculator Builder’s configuration for any insecure database connection settings. After upgrading, confirm the vulnerability is resolved by attempting a SQL Injection attack via a vulnerable parameter and verifying that it is blocked.
Como corrigirtraduzindo…
Actualice el plugin Cost Calculator Builder a una versión corregida. Consulte las notas de la versión del plugin para obtener instrucciones específicas sobre cómo aplicar la actualización y mitigar la vulnerabilidad de inyección SQL.
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2025-39587 — SQL Injection in Cost Calculator Builder?
CVE-2025-39587 is a critical SQL Injection vulnerability in Stylemix Cost Calculator Builder allowing attackers to inject malicious SQL code and potentially access sensitive data.
Am I affected by CVE-2025-39587 in Cost Calculator Builder?
You are affected if you are using Cost Calculator Builder versions 0.0.0 through 3.2.65. Upgrade to 3.2.66 to mitigate the risk.
How do I fix CVE-2025-39587 in Cost Calculator Builder?
Upgrade Cost Calculator Builder to version 3.2.66 or later. Implement input validation and WAF rules as temporary workarounds if immediate upgrade is not possible.
Is CVE-2025-39587 being actively exploited?
While no active exploitation has been publicly confirmed, the vulnerability’s severity suggests a high likelihood of future attacks.
Where can I find the official Stylemix advisory for CVE-2025-39587?
Refer to the Stylemix Cost Calculator Builder website and WordPress plugin repository for the latest advisory and update information.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.