PatchSiren cyber security CVE debrief
CVE-2026-10865 stylemix CVE debrief
The Cost Calculator Builder plugin for WordPress, up to and including version 4.0.11, is vulnerable to Sensitive Information Exposure. This vulnerability allows unauthenticated attackers to extract plaintext Stripe secret keys, Razorpay secret keys, and PayPal client secrets from the page source of any page containing a calculator. This exposure occurs when the 'use in all calculators' option is enabled for one or more payment gateways in the plugin's global settings. Successful exploitation enables full control of the merchant's payment gateway accounts.
- Vendor
- stylemix
- Product
- Cost Calculator Builder
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Administrators of WordPress sites using the Cost Calculator Builder plugin, especially those with payment gateways integrated, should be aware of this vulnerability. Developers and security teams responsible for maintaining WordPress installations and plugins should prioritize patching or mitigating this issue.
Technical summary
The Cost Calculator Builder plugin for WordPress contains a Sensitive Information Exposure vulnerability. This issue arises from the plugin embedding sensitive information such as Stripe secret keys, Razorpay secret keys, and PayPal client secrets in the page source of calculator-containing pages when the 'use in all calculators' option is enabled for payment gateways. The vulnerability is exploitable by unauthenticated attackers, potentially leading to full control of merchant payment gateway accounts.
Defensive priority
High priority should be given to updating the Cost Calculator Builder plugin to a version that fixes this vulnerability. Site administrators should verify that the 'use in all calculators' option is not enabled for payment gateways and consider restricting access to calculator pages. Monitoring for suspicious activity related to payment gateway accounts is also advisable.
Recommended defensive actions
- Update the Cost Calculator Builder plugin to the latest version.
- Review and adjust the plugin's global settings to ensure the 'use in all calculators' option is not enabled for sensitive payment gateways.
- Monitor payment gateway accounts for suspicious activity.
- Consider implementing additional security measures such as restricting access to calculator pages.
- Verify that the plugin version is updated and the 'use in all calculators' option is disabled for all payment gateways.
- Conduct a thorough review of calculator page access controls and ensure they are properly restricted.
- Track and document changes made to the plugin configuration and monitor for any potential security incidents.
Evidence notes
The CVE record and NVD entry provide details on the vulnerability. The Wordfence security team has identified and reported this issue. Plugin version 4.0.11 and earlier are affected. Limited information is available on publicly disclosed exploits or attacks.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:44.927Z and has not been modified since then.