CVE-2025-48277: 
WordPress vulnerability analysis and mitigation

CVE-2025-48277 is a Stored Cross-Site Scripting (XSS) vulnerability discovered in Stylemix Cost Calculator Builder WordPress plugin. The vulnerability affects versions through 3.2.74 and was disclosed on May 19, 2025. This security issue impacts the Cost Calculator Builder plugin, which is used for creating calculation forms on WordPress websites (NVD, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has been assigned a CVSS v3.1 Base Score of 5.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires administrator privileges to exploit (Patchstack).

This vulnerability could allow a malicious actor with administrator access to inject malicious scripts into the website. When executed, these scripts could lead to various consequences including redirects, unauthorized advertisements, and execution of arbitrary HTML payloads when visitors access the affected site (Patchstack).

The vulnerability has been fixed in version 3.5.0 of the Cost Calculator Builder plugin. Users are advised to update to version 3.5.0 or later to remediate this security issue (Patchstack).