CVE-2026-10865

MEDIUM

CVSS v3.1: 5.3 · EPSS: 0.0033 (24.9 percentile)

NetworkNo privilegesNo user interactionInformation ExposureVendor advisory ref

Source data as of:

At a glance

Severity
MEDIUM
CVSS
5.3 v3.1 · NVD
EPSS
0.0033 (24.9 percentile) · FIRST.org
CISA KEV
No
Type
Information Exposure · NVD CWE
Attack conditions (CVSS vector)
NetworkNo privilegesNo user interaction · Source: NVD Vector
Published
2026-07-11 · Modified: 2026-07-11

CVSS / EPSS / KEV

CVSS v3.1 5.3 / 10 MEDIUM Source: NVD
EPSS 0.0033 24.9 percentile Source: FIRST.org
CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the (template body). This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal client_secret embedded in the page source of any page containing a calculator, enabling full control of the merchant's payment gateway accounts. This exposure only occurs when the 'use in all calculators' option is enabled for one or more payment gateways in the plugin's global settings.

Record details

CVE ID
CVE-2026-10865
CVSS (v3.1)
5.3 (MEDIUM)
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Exploitability subscore
3.9
Impact subscore
1.4
EPSS
0.0033 (24.9 percentile) — 2026-07-12
CISA KEV
No
Weakness (CWE)
CWE-200
Affected configurations (CPE)
0
Published
2026-07-11
Modified
2026-07-11
Status
Received

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.