VDB
CVE-2026-2506
CVE-2026-2506
PUBLISHED
CVSS 6.099999904632568 MEDIUM
The EM Cost Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to the plugin storing attacker-controlled 'customer_name' data and rendering it in the admin customer list without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the EMCC Customers page.
EPSS 0.13% · 31.5th percentile
Risk Scores
CVSS v3.1
6.099999904632568
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
0.13%
31.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| motahar1 | EM Cost Calculator | *, *, 0 |
Timeline
- Feb 13, 2026 CVE ID Reserved
- Feb 26, 2026 EPSS Score
- Feb 26, 2026 CVE Published
- Feb 26, 2026 PoC Published
- Feb 27, 2026 EPSS Score
- Mar 1, 2026 EPSS Score
- Mar 2, 2026 EPSS Score
- Mar 4, 2026 EPSS Score
- Mar 5, 2026 EPSS Score
- Mar 7, 2026 EPSS Score
- Mar 8, 2026 EPSS Score
- Mar 10, 2026 EPSS Score
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1eef338a-ccc7-41a2-b87a-0945e39380d2?source=cve url
- https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-calculator-widget.php#L655 url
- https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-calculator-widget.php#L682 url
- https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-calculator-widget.php#L701 url
- https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-calc-admin-page.php#L59 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-2506 advisory