Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
EM Cost Calculator plugin for WordPress allows attackers to inject malicious scripts
CVE-2026-2506
Summary
An attacker can inject malicious code into the EM Cost Calculator plugin for WordPress, potentially allowing them to take control of the plugin or perform other malicious actions when an administrator views the customer list. This affects versions 2.3.1 and earlier. To protect your site, update the plugin to the latest version.
Original title
The EM Cost Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to the plugin storing attacker-controlled 'customer_nam...
Original description
The EM Cost Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to the plugin storing attacker-controlled 'customer_name' data and rendering it in the admin customer list without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the EMCC Customers page.
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-ca...
- https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-ca...
- https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-ca...
- https://plugins.trac.wordpress.org/browser/cost-calculator/tags/2.3.1/em-cost-ca...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1eef338a-ccc7-41a2-b87...
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026