Back to overview

CVE-2026-10865

MEDIUM
5.3
CVSS 3.1
Description
The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the (template body). This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal client_secret embedded in the page source of any page containing a calculator, enabling full control of the merchant's payment gateway accounts. This exposure only occurs when the 'use in all calculators' option is enabled for one or more payment gateways in the plugin's global settings.

Metadata

CVE ID
CVE-2026-10865
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-06-04 14:10 UTC
Published
2026-07-11 05:35 UTC
Last updated
2026-07-11 05:35 UTC
Primary CWE
CWE-200
CWE-200 Exposure of Sensitive Information to an Unauthorized…
Vendor / Product
stylemix / Cost Calculator Builder
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
stylemix Cost Calculator Builder 0 ≤ 4.0.11
Weakness (CWE)
CWESourceDescription
CWE-200 cna CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Back to overview