CVE-2026-2506

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-2506
The EM Cost Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to the plugin storing attacker-controlled 'customer_name' data and rendering it in the admin customer list without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the EMCC Customers page.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-calc-admin-page.php#L59
https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-calculator-widget.php#L655
https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-calculator-widget.php#L682
https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-calculator-widget.php#L701
https://www.wordfence.com/threat-intel/vulnerabilities/id/1eef338a-ccc7-41a2-b87a-0945e39380d2?source=cve
Configurations

No configuration.

History

27 Feb 2026, 14:06

Type Values Removed Values Added
Summary
  • (es) El plugin EM Cost Calculator para WordPress es vulnerable a cross-site scripting almacenado en versiones hasta la 2.3.1, inclusive. Esto se debe a que el plugin almacena datos 'customer_name' controlados por el atacante y los renderiza en la lista de clientes del administrador sin escape de salida. Esto permite que atacantes no autenticados inyecten scripts web arbitrarios que se ejecutan cuando un administrador ve la página de Clientes de EMCC.

26 Feb 2026, 02:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-26 02:16

Updated : 2026-02-27 14:06

NVD link : CVE-2026-2506

Mitre link : CVE-2026-2506

CVE.ORG link : CVE-2026-2506

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')