CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1155 – Cost Calculator <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-1155
02 Mar 2023 — The Cost Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the nd_cc_meta_box_cc_price_icon parameter in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wordpress.org/plugins/nd-projects/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0165 – Cost Calculator <= 1.8 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0165
13 Feb 2023 — The Cost Calculator WordPress plugin through 1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Cost Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's nd_cost_calculator shortcode in versions up to, and including, 1.8 due to insufficient input sanitization and output ... • https://wpscan.com/vulnerability/f00b82f7-d8ad-4f6b-b791-81cc16b6336b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24820 – Cost Calculator <= 1.6 - Authenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2021-24820
01 Feb 2022 — The Cost Calculator WordPress plugin through 1.6 allows authenticated users (Contributor+ in versions < 1.5, and Admin+ in versions <= 1.6) to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout El plugin de Cost Calculator de WordPress hasta la versión 1.6 permite a los usuarios autentificados (Contributor+ en las versiones anteriores a la versión 1.5, y Admin+ en las versiones anteriores o iguales a la versión 1.6) realizar el path traversal y l... • https://wpscan.com/vulnerability/47652b24-a6f0-4bbc-834e-496b88523fe7 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24821 – Cost Calculator < 1.6 - Contributor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24821
01 Feb 2022 — The Cost Calculator WordPress plugin before 1.6 allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the Description fields of a Cost Calculator > Price Settings (which gets injected on the edit page as well as any page that embeds the calculator using the shortcode), as well as the Text Preview field of a Project (injected on the edit project page) El plugin Cost Calculator de WordPress versiones anteriores a 1.6, permite a usuarios con un rol tan bajo como el d... • https://wpscan.com/vulnerability/f0915b66-0b99-4aeb-9fba-759cafaeb0cb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •