CVE-2026-2506
Stored XSS in EM Cost Calculator Plugin Allows Admin Script Injection
Publication date: 2026-02-26
Last updated on: 2026-02-26
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| em_cost_calculator | em_cost_calculator | to 2.3.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The EM Cost Calculator plugin for WordPress, up to version 2.3.1, is vulnerable to Stored Cross-Site Scripting (XSS). This occurs because the plugin stores attacker-controlled 'customer_name' data and then renders it in the admin customer list without properly escaping the output. As a result, an unauthenticated attacker can inject malicious web scripts that execute when an administrator views the EMCC Customers page.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to inject arbitrary scripts that run in the context of the administrator's browser when they view the customer list. This can lead to several impacts including theft of administrator session cookies, unauthorized actions performed with administrator privileges, or the installation of malware. Because the attack executes in the admin interface, it can compromise the security and integrity of the WordPress site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves stored Cross-Site Scripting (XSS) in the EM Cost Calculator WordPress plugin versions up to 2.3.1, where attacker-controlled 'customer_name' data is stored and rendered without output escaping in the admin customer list."}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can check if the EM Cost Calculator plugin is installed and running version 2.3.1 or earlier.'}, {'type': 'paragraph', 'content': 'You can also inspect the EMCC Customers admin page for suspicious or unexpected script tags or HTML in the Customer Name field, which may indicate stored XSS payloads.'}, {'type': 'paragraph', 'content': "Since the vulnerability manifests when an administrator views the EMCC Customers page, monitoring HTTP requests to the admin page with the slug 'em_add_data' or the submenu 'About EMCC' may help detect exploitation attempts."}, {'type': 'paragraph', 'content': 'No specific detection commands are provided in the available resources.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the EM Cost Calculator plugin to a version later than 2.3.1 where this vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'If an update is not immediately available, restrict access to the WordPress admin area to trusted administrators only, as the vulnerability requires an administrator to view the malicious data to trigger the XSS.'}, {'type': 'paragraph', 'content': 'Consider temporarily disabling or uninstalling the EM Cost Calculator plugin until a patched version is applied.'}, {'type': 'paragraph', 'content': "Review and sanitize any stored customer data, especially the 'customer_name' field, to remove any injected scripts."}, {'type': 'paragraph', 'content': "Implement web application firewall (WAF) rules to detect and block attempts to inject malicious scripts into the plugin's input fields."}] [1]