[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjPxAxyjxndIZbeqPlnwqGEhsFt0AKBKzF8TnvGYTgGw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-54847","stylish-cost-calculator-quote-generator-lead-gen-price-estimator-missing-authorization","Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator \u003C= 8.3.9 - Missing Authorization","The Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.3.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.","stylish-cost-calculator",null,"\u003C=8.3.9","8.3.10","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-18 00:00:00","2026-06-23 15:35:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F70b56b64-2334-44f1-9924-1ea642664b41?source=api-prod",6,[22,23,24,25,26,27,28,29],"admin\u002Fcontrollers\u002FPageControllers\u002Fclass-page-edit-calculator.php","admin\u002Fcontrollers\u002Fdealer.php","admin\u002Fcontrollers\u002FformController.php","admin\u002Fcontrollers\u002FmigrateController.php","admin\u002Fmodels\u002FeditElementModel.php","admin\u002Fviews\u002FadminHeader.php","admin\u002Fviews\u002FcalculatorQuotes.php","admin\u002Fviews\u002FeditCalcualtor.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-54847 (Stylish Cost Calculator)\n\n## 1. Vulnerability Summary\nThe **Stylish Cost Calculator** plugin for WordPress is vulnerable to **Missing Authorization** in its administrative routing logic. The `dealer` class located in `admin\u002Fcontrollers\u002Fdealer.php` is instantiated globally (`new dealer()`). Its constructor automatically processes the `page` query parameter and loads administrative controllers without any capability checks (e.g., `current_user_can()`) or authentication verification.\n\nAn unauthenticated attacker can trigger the loading of administrative Page Controllers, such as `PageEditTabs` in `admin\u002Fcontrollers\u002FPageControllers\u002Fclass-page-edit-calculator.php`. Upon instantiation, these controllers perform unauthorized actions, most notably updating the `df-scc-save-count` option via the `updateCalculatorUsageStat()` function.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: Any page on the WordPress site (including frontend root or `wp-admin\u002Fadmin-ajax.php`).\n- **HTTP Parameter**: `page` (set to `scc_edit_items`) and `id_form` (set to a valid calculator ID).\n- **Authentication**: None (Unauthenticated).\n- **Preconditions**: At least one calculator must exist in the database so that `$formC->readWithRelations($_GET['id_form'])` returns a truthy value.\n\n## 3. Code Flow\n1. **Entry Point**: The plugin initializes and requires `admin\u002F","The Stylish Cost Calculator plugin fails to perform authorization checks in its administrative routing logic, allowing unauthenticated attackers to access internal controllers. By supplying specific query parameters, an attacker can trigger administrative functions such as updating global usage statistics or viewing restricted calculator configuration metadata.","\u002F\u002F admin\u002Fcontrollers\u002Fdealer.php line 6\nclass dealer {\n\n\tpublic function __construct() {\n\t\tif ( isset( $_GET['page'] ) ) {\n\t\t\t$this->get( $_GET['page'] );\n\t\t}\n\t}\n\tprotected function get( $page ) {\n        \u002F\u002F ...\n\t\tswitch ( $page ) {\n            \u002F\u002F ...\n\t\t\tcase 'scc_edit_items' && isset( $_GET['id_form'] ):\n\t\t\t\trequire dirname( __FILE__ ) . '\u002FPageControllers\u002Fclass-page-edit-calculator.php';\n\t\t\t\tbreak;\n\n---\n\n\u002F\u002F admin\u002Fcontrollers\u002FPageControllers\u002Fclass-page-edit-calculator.php line 17\nclass PageEditTabs extends PagesBreadcrumbs {\n\n\tpublic function __construct() {\n\t\trequire dirname( __DIR__, 1 ) . '\u002FformController.php';\n\t\t$formC = new formController();\n\n        \u002F\u002F ... (truncated enqueues)\n\t\t\n\t\t$f1          = $formC->readWithRelations( $_GET['id_form'] );\n\t\t$isActivated = get_option( 'df_scc_licensed', 0 ) ? true : false;\n\n\t\tparent::__construct();\n\t\twp_enqueue_media();\n\n\t\tif ( ! $f1 ) {\n\t\t\treturn $this->show_eror();\n\t\t}\n\n\t\t$this->updateCalculatorUsageStat();","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fstylish-cost-calculator\u002F8.3.9\u002Fadmin\u002Fcontrollers\u002Fdealer.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fstylish-cost-calculator\u002F8.3.10\u002Fadmin\u002Fcontrollers\u002Fdealer.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fstylish-cost-calculator\u002F8.3.9\u002Fadmin\u002Fcontrollers\u002Fdealer.php\t2025-06-10 17:27:50.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fstylish-cost-calculator\u002F8.3.10\u002Fadmin\u002Fcontrollers\u002Fdealer.php\t2026-06-11 13:59:22.000000000 +0000\n@@ -21,8 +21,12 @@\n \t\t\tcase 'add_new_form2':\n \t\t\t\trequire dirname( __FILE__ ) . '\u002FPageControllers\u002Fclass-page-new-calcualtor.php';\n \t\t\t\tbreak;\n-t\t\tcase 'scc_edit_items' && isset( $_GET['id_form'] ):\n-t\t\t\trequire dirname( __FILE__ ) . '\u002FPageControllers\u002Fclass-page-edit-calculator.php';\n+t\t\tcase 'scc_edit_items':\n+\t\t\t\tif ( isset( $_GET['id_form'] ) ) {\n+\t\t\t\t\trequire dirname( __FILE__ ) . '\u002FPageControllers\u002Fclass-page-edit-calculator.php';\n+\t\t\t\t} else {\n+\t\t\t\t\trequire dirname( __FILE__ ) . '\u002FPageControllers\u002Fclass-page-new-calcualtor.php';\n+\t\t\t\t}\n \t\t\t\tbreak;\n \t\t\tcase 'scc-list-all-calculator-forms':\n \t\t\t\trequire dirname( __FILE__ ) . '\u002FPageControllers\u002Fclass-page-all-forms.php';\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fstylish-cost-calculator\u002F8.3.9\u002Fadmin\u002Fcontrollers\u002FPageControllers\u002Fclass-page-edit-calculator.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fstylish-cost-calculator\u002F8.3.10\u002Fadmin\u002Fcontrollers\u002FPageControllers\u002Fclass-page-edit-calculator.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fstylish-cost-calculator\u002F8.3.9\u002Fadmin\u002Fcontrollers\u002FPageControllers\u002Fclass-page-edit-calculator.php\t2026-05-05 20:27:08.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fstylish-cost-calculator\u002F8.3.10\u002Fadmin\u002Fcontrollers\u002FPageControllers\u002Fclass-page-edit-calculator.php\t2026-06-11 13:59:22.000000000 +0000\n@@ -14,8 +12,16 @@\n class PageEditTabs extends PagesBreadcrumbs {\n \n \tpublic function __construct() {\n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_die( esc_html__( 'You do not have permission to edit calculators.', 'scc' ) );\n+\t\t}\n+\n \t\trequire dirname( __DIR__, 1 ) . '\u002FformController.php';\n \t\t$formC = new formController();\n+\t\t$form_id = 0;\n+\t\tif ( isset( $_GET['id_form'] ) && ! is_array( $_GET['id_form'] ) ) {\n+\t\t\t$form_id = absint( wp_unslash( $_GET['id_form'] ) );\n+\t\t}","The exploit targets the global initialization of the `dealer` class, which handles administrative routing. \n\n1. An unauthenticated attacker sends a GET request to the WordPress site (either the frontend or administrative index).\n2. The attacker includes the query parameter `page=scc_edit_items` and `id_form=[ID]`, where `[ID]` is the ID of an existing calculator.\n3. The `dealer` class constructor processes the `page` parameter and requires the `class-page-edit-calculator.php` file.\n4. Upon instantiation, the `PageEditTabs` controller (which lacks any capability checks in vulnerable versions) automatically executes `updateCalculatorUsageStat()`, incrementing the `df-scc-save-count` option in the database.\n5. Additionally, the attacker may receive partial administrative UI output or sensitive calculator configuration details in the HTTP response body if the form ID is valid.","gemini-3-flash-preview","2026-06-25 21:21:07","2026-06-25 21:22:09",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","8.3.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fstylish-cost-calculator\u002Ftags\u002F8.3.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstylish-cost-calculator.8.3.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fstylish-cost-calculator\u002Ftags\u002F8.3.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstylish-cost-calculator.8.3.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fstylish-cost-calculator\u002Ftags"]