Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-39587

CVE-2025-39587: Cost Calculator Builder SQL Vulnerability

CVE-2025-39587 is an SQL injection vulnerability in the Stylemix Cost Calculator Builder plugin affecting versions up to 3.2.65. This article covers the technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2025-39587 Overview

CVE-2025-39587 is a SQL injection vulnerability in the Stylemix Cost Calculator Builder plugin for WordPress. The flaw affects all versions of cost-calculator-builder up to and including 3.2.65. The plugin fails to properly neutralize special elements used in SQL commands, allowing attackers to inject arbitrary SQL into database queries. The vulnerability is tracked under CWE-89 and was published to the National Vulnerability Database (NVD) on April 17, 2025.

Critical Impact

Unauthenticated attackers can execute arbitrary SQL queries against the WordPress database over the network, leading to data disclosure and partial availability impact with changed scope.

Affected Products

  • Stylemix Cost Calculator Builder WordPress plugin (cost-calculator-builder)
  • All versions from initial release through 3.2.65
  • WordPress sites with the plugin installed and active

Discovery Timeline

  • 2025-04-17 - CVE-2025-39587 published to NVD
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-39587

Vulnerability Analysis

The Cost Calculator Builder plugin accepts user-supplied input that is incorporated into SQL queries without adequate sanitization or parameterization. Attackers can supply crafted payloads through plugin request parameters to alter query logic, extract data from the WordPress database, or perform other database operations available to the plugin's database user. The flaw is reachable over the network and does not require authentication or user interaction, increasing exposure for any WordPress site running an affected build.

Root Cause

The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The plugin constructs SQL statements by concatenating untrusted input with query strings rather than using prepared statements with bound parameters via $wpdb->prepare(). Special characters such as single quotes, semicolons, and SQL keywords pass through to the database engine intact, enabling query manipulation.

Attack Vector

An attacker sends crafted HTTP requests containing SQL metacharacters to plugin endpoints that interact with the database. Because the scope is changed, successful exploitation impacts resources beyond the vulnerable component, including data accessed by other WordPress components sharing the database. Refer to the Patchstack SQL Injection Vulnerability advisory for additional technical context.

Detection Methods for CVE-2025-39587

Indicators of Compromise

  • HTTP requests to wp-admin/admin-ajax.php or plugin AJAX actions containing SQL metacharacters such as UNION SELECT, SLEEP(, or --
  • Unexpected entries in WordPress database tables tied to the plugin or wp_options
  • Web server access logs showing repeated requests with encoded SQL payloads against cost-calculator-builder endpoints

Detection Strategies

  • Inspect web application firewall (WAF) and reverse proxy logs for SQL injection signatures targeting plugin parameters
  • Enable MySQL or MariaDB general query logging temporarily to capture anomalous query patterns originating from the WordPress process
  • Correlate plugin version inventory across WordPress installations against affected version 3.2.65 and earlier

Monitoring Recommendations

  • Alert on HTTP 500 responses from plugin endpoints, which often accompany failed injection attempts
  • Monitor outbound database errors logged to debug.log when WP_DEBUG is enabled
  • Track WordPress user account creation and capability changes following suspicious plugin requests

How to Mitigate CVE-2025-39587

Immediate Actions Required

  • Update the Cost Calculator Builder plugin to a version released after 3.2.65 once available from Stylemix
  • Deactivate and remove the plugin on sites where an upgrade path is not immediately possible
  • Restrict access to WordPress administrative and AJAX endpoints via IP allowlisting where feasible

Patch Information

At the time of NVD publication, the advisory lists affected versions through 3.2.65. Site administrators should consult the Patchstack advisory and the official Stylemix plugin page for the latest patched release and apply it across all WordPress instances.

Workarounds

  • Deploy a WAF ruleset that blocks SQL injection payloads targeting cost-calculator-builder request parameters
  • Apply database least-privilege by ensuring the WordPress database user cannot execute administrative SQL such as FILE or GRANT
  • Take backups of the WordPress database and filesystem before remediation to support forensic review if compromise is suspected
bash
# Configuration example: ModSecurity rule blocking common SQLi payloads to the plugin endpoint
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
    "chain,phase:2,deny,status:403,id:1003958701,msg:'Block SQLi against cost-calculator-builder'"
    SecRule ARGS "@rx (?i)(union(\s)+select|sleep\(|benchmark\(|--|;--|/\*)" "t:none,t:urlDecodeUni"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne