CVE-2026-54847

Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator <= 8.3.9 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
8.3.10
Patched in
6d
Time to patch

Description

The Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.3.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=8.3.9
PublishedJune 18, 2026
Last updatedJune 23, 2026

What Changed in the Fix

Changes introduced in v8.3.10

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-54847 (Stylish Cost Calculator) ## 1. Vulnerability Summary The **Stylish Cost Calculator** plugin for WordPress is vulnerable to **Missing Authorization** in its administrative routing logic. The `dealer` class located in `admin/controllers/dealer.php` is ins…

Show full research plan

Exploitation Research Plan: CVE-2026-54847 (Stylish Cost Calculator)

1. Vulnerability Summary

The Stylish Cost Calculator plugin for WordPress is vulnerable to Missing Authorization in its administrative routing logic. The dealer class located in admin/controllers/dealer.php is instantiated globally (new dealer()). Its constructor automatically processes the page query parameter and loads administrative controllers without any capability checks (e.g., current_user_can()) or authentication verification.

An unauthenticated attacker can trigger the loading of administrative Page Controllers, such as PageEditTabs in admin/controllers/PageControllers/class-page-edit-calculator.php. Upon instantiation, these controllers perform unauthorized actions, most notably updating the df-scc-save-count option via the updateCalculatorUsageStat() function.

2. Attack Vector Analysis

  • Endpoint: Any page on the WordPress site (including frontend root or wp-admin/admin-ajax.php).
  • HTTP Parameter: page (set to scc_edit_items) and id_form (set to a valid calculator ID).
  • Authentication: None (Unauthenticated).
  • Preconditions: At least one calculator must exist in the database so that $formC->readWithRelations($_GET['id_form']) returns a truthy value.

3. Code Flow

  1. Entry Point: The plugin initializes and requires `admin/
Research Findings
Static analysis — not yet PoC-verified

Summary

The Stylish Cost Calculator plugin fails to perform authorization checks in its administrative routing logic, allowing unauthenticated attackers to access internal controllers. By supplying specific query parameters, an attacker can trigger administrative functions such as updating global usage statistics or viewing restricted calculator configuration metadata.

Vulnerable Code

// admin/controllers/dealer.php line 6
class dealer {

	public function __construct() {
		if ( isset( $_GET['page'] ) ) {
			$this->get( $_GET['page'] );
		}
	}
	protected function get( $page ) {
        // ...
		switch ( $page ) {
            // ...
			case 'scc_edit_items' && isset( $_GET['id_form'] ):
				require dirname( __FILE__ ) . '/PageControllers/class-page-edit-calculator.php';
				break;

---

// admin/controllers/PageControllers/class-page-edit-calculator.php line 17
class PageEditTabs extends PagesBreadcrumbs {

	public function __construct() {
		require dirname( __DIR__, 1 ) . '/formController.php';
		$formC = new formController();

        // ... (truncated enqueues)
		
		$f1          = $formC->readWithRelations( $_GET['id_form'] );
		$isActivated = get_option( 'df_scc_licensed', 0 ) ? true : false;

		parent::__construct();
		wp_enqueue_media();

		if ( ! $f1 ) {
			return $this->show_eror();
		}

		$this->updateCalculatorUsageStat();

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/stylish-cost-calculator/8.3.9/admin/controllers/dealer.php /home/deploy/wp-safety.org/data/plugin-versions/stylish-cost-calculator/8.3.10/admin/controllers/dealer.php
--- /home/deploy/wp-safety.org/data/plugin-versions/stylish-cost-calculator/8.3.9/admin/controllers/dealer.php	2025-06-10 17:27:50.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/stylish-cost-calculator/8.3.10/admin/controllers/dealer.php	2026-06-11 13:59:22.000000000 +0000
@@ -21,8 +21,12 @@
 			case 'add_new_form2':
 				require dirname( __FILE__ ) . '/PageControllers/class-page-new-calcualtor.php';
 				break;
-t		case 'scc_edit_items' && isset( $_GET['id_form'] ):
-t			require dirname( __FILE__ ) . '/PageControllers/class-page-edit-calculator.php';
+t		case 'scc_edit_items':
+				if ( isset( $_GET['id_form'] ) ) {
+					require dirname( __FILE__ ) . '/PageControllers/class-page-edit-calculator.php';
+				} else {
+					require dirname( __FILE__ ) . '/PageControllers/class-page-new-calcualtor.php';
+				}
 				break;
 			case 'scc-list-all-calculator-forms':
 				require dirname( __FILE__ ) . '/PageControllers/class-page-all-forms.php';
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/stylish-cost-calculator/8.3.9/admin/controllers/PageControllers/class-page-edit-calculator.php /home/deploy/wp-safety.org/data/plugin-versions/stylish-cost-calculator/8.3.10/admin/controllers/PageControllers/class-page-edit-calculator.php
--- /home/deploy/wp-safety.org/data/plugin-versions/stylish-cost-calculator/8.3.9/admin/controllers/PageControllers/class-page-edit-calculator.php	2026-05-05 20:27:08.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/stylish-cost-calculator/8.3.10/admin/controllers/PageControllers/class-page-edit-calculator.php	2026-06-11 13:59:22.000000000 +0000
@@ -14,8 +12,16 @@
 class PageEditTabs extends PagesBreadcrumbs {
 
 	public function __construct() {
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_die( esc_html__( 'You do not have permission to edit calculators.', 'scc' ) );
+		}
+
 		require dirname( __DIR__, 1 ) . '/formController.php';
 		$formC = new formController();
+		$form_id = 0;
+		if ( isset( $_GET['id_form'] ) && ! is_array( $_GET['id_form'] ) ) {
+			$form_id = absint( wp_unslash( $_GET['id_form'] ) );
+		}

Exploit Outline

The exploit targets the global initialization of the `dealer` class, which handles administrative routing. 1. An unauthenticated attacker sends a GET request to the WordPress site (either the frontend or administrative index). 2. The attacker includes the query parameter `page=scc_edit_items` and `id_form=[ID]`, where `[ID]` is the ID of an existing calculator. 3. The `dealer` class constructor processes the `page` parameter and requires the `class-page-edit-calculator.php` file. 4. Upon instantiation, the `PageEditTabs` controller (which lacks any capability checks in vulnerable versions) automatically executes `updateCalculatorUsageStat()`, incrementing the `df-scc-save-count` option in the database. 5. Additionally, the attacker may receive partial administrative UI output or sensitive calculator configuration details in the HTTP response body if the form ID is valid.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.