Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator <= 8.3.9 - Missing Authorization
Description
The Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.3.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=8.3.9What Changed in the Fix
Changes introduced in v8.3.10
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-54847 (Stylish Cost Calculator) ## 1. Vulnerability Summary The **Stylish Cost Calculator** plugin for WordPress is vulnerable to **Missing Authorization** in its administrative routing logic. The `dealer` class located in `admin/controllers/dealer.php` is ins…
Show full research plan
Exploitation Research Plan: CVE-2026-54847 (Stylish Cost Calculator)
1. Vulnerability Summary
The Stylish Cost Calculator plugin for WordPress is vulnerable to Missing Authorization in its administrative routing logic. The dealer class located in admin/controllers/dealer.php is instantiated globally (new dealer()). Its constructor automatically processes the page query parameter and loads administrative controllers without any capability checks (e.g., current_user_can()) or authentication verification.
An unauthenticated attacker can trigger the loading of administrative Page Controllers, such as PageEditTabs in admin/controllers/PageControllers/class-page-edit-calculator.php. Upon instantiation, these controllers perform unauthorized actions, most notably updating the df-scc-save-count option via the updateCalculatorUsageStat() function.
2. Attack Vector Analysis
- Endpoint: Any page on the WordPress site (including frontend root or
wp-admin/admin-ajax.php). - HTTP Parameter:
page(set toscc_edit_items) andid_form(set to a valid calculator ID). - Authentication: None (Unauthenticated).
- Preconditions: At least one calculator must exist in the database so that
$formC->readWithRelations($_GET['id_form'])returns a truthy value.
3. Code Flow
- Entry Point: The plugin initializes and requires `admin/
Summary
The Stylish Cost Calculator plugin fails to perform authorization checks in its administrative routing logic, allowing unauthenticated attackers to access internal controllers. By supplying specific query parameters, an attacker can trigger administrative functions such as updating global usage statistics or viewing restricted calculator configuration metadata.
Vulnerable Code
// admin/controllers/dealer.php line 6 class dealer { public function __construct() { if ( isset( $_GET['page'] ) ) { $this->get( $_GET['page'] ); } } protected function get( $page ) { // ... switch ( $page ) { // ... case 'scc_edit_items' && isset( $_GET['id_form'] ): require dirname( __FILE__ ) . '/PageControllers/class-page-edit-calculator.php'; break; --- // admin/controllers/PageControllers/class-page-edit-calculator.php line 17 class PageEditTabs extends PagesBreadcrumbs { public function __construct() { require dirname( __DIR__, 1 ) . '/formController.php'; $formC = new formController(); // ... (truncated enqueues) $f1 = $formC->readWithRelations( $_GET['id_form'] ); $isActivated = get_option( 'df_scc_licensed', 0 ) ? true : false; parent::__construct(); wp_enqueue_media(); if ( ! $f1 ) { return $this->show_eror(); } $this->updateCalculatorUsageStat();
Security Fix
@@ -21,8 +21,12 @@ case 'add_new_form2': require dirname( __FILE__ ) . '/PageControllers/class-page-new-calcualtor.php'; break; -t case 'scc_edit_items' && isset( $_GET['id_form'] ): -t require dirname( __FILE__ ) . '/PageControllers/class-page-edit-calculator.php'; +t case 'scc_edit_items': + if ( isset( $_GET['id_form'] ) ) { + require dirname( __FILE__ ) . '/PageControllers/class-page-edit-calculator.php'; + } else { + require dirname( __FILE__ ) . '/PageControllers/class-page-new-calcualtor.php'; + } break; case 'scc-list-all-calculator-forms': require dirname( __FILE__ ) . '/PageControllers/class-page-all-forms.php'; @@ -14,8 +12,16 @@ class PageEditTabs extends PagesBreadcrumbs { public function __construct() { + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( esc_html__( 'You do not have permission to edit calculators.', 'scc' ) ); + } + require dirname( __DIR__, 1 ) . '/formController.php'; $formC = new formController(); + $form_id = 0; + if ( isset( $_GET['id_form'] ) && ! is_array( $_GET['id_form'] ) ) { + $form_id = absint( wp_unslash( $_GET['id_form'] ) ); + }
Exploit Outline
The exploit targets the global initialization of the `dealer` class, which handles administrative routing. 1. An unauthenticated attacker sends a GET request to the WordPress site (either the frontend or administrative index). 2. The attacker includes the query parameter `page=scc_edit_items` and `id_form=[ID]`, where `[ID]` is the ID of an existing calculator. 3. The `dealer` class constructor processes the `page` parameter and requires the `class-page-edit-calculator.php` file. 4. Upon instantiation, the `PageEditTabs` controller (which lacks any capability checks in vulnerable versions) automatically executes `updateCalculatorUsageStat()`, incrementing the `df-scc-save-count` option in the database. 5. Additionally, the attacker may receive partial administrative UI output or sensitive calculator configuration details in the HTTP response body if the form ID is valid.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.