WordPress · Cost Calculator Builder · CVE-2024-6011
Name of the Vulnerable Software and Affected Versions:
Cost Calculator Builder plugin for WordPress versions up to, and including, 3.2.12
Description:
The issue arises from insufficient input sanitization and output escaping, allowing authenticated attackers with Administrator-level access and above to inject arbitrary web scripts via the `textarea.description` parameter. This enables the execution of injected scripts whenever a user accesses an injected page.
Recommendations:
For versions up to, and including, 3.2.12, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the `textarea.description` parameter to minimize the risk of exploitation.