CVE-2024-4787: CWE-20 Improper Input Validation in StylemixThemes Cost Calculator Builder PRO
The Cost Calculator Builder PRO for WordPress is vulnerable to arbitrary email sending vulnerability in versions up to, and including, 3.1.75. This is due to insufficient limitations on the email recipient and the content in the 'send_pdf' and the 'send_pdf_front' functions which are reachable via AJAX. This makes it possible for unauthenticated attackers to send emails with any content to any recipient.
AI Analysis
Technical Summary
The Cost Calculator Builder PRO plugin for WordPress versions up to 3.1.75 contains an improper input validation vulnerability (CWE-20) identified as CVE-2024-4787. This flaw exists in the 'send_pdf' and 'send_pdf_front' functions accessible via AJAX, which do not sufficiently restrict the email recipient or content parameters. As a result, unauthenticated attackers can send arbitrary emails to arbitrary recipients. The CVSS 3.1 base score is 5.8 (medium), reflecting network attack vector, no privileges required, no user interaction, scope changed, no confidentiality impact, limited integrity impact, and no availability impact. No known exploits in the wild or patches are currently documented.
Potential Impact
The vulnerability allows unauthenticated attackers to send arbitrary emails with any content to any recipient via the vulnerable plugin's AJAX endpoints. This can lead to misuse such as spam or phishing emails being sent from the affected WordPress site. There is no direct impact on confidentiality or availability, but the integrity of email communications can be compromised. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider disabling or restricting access to the 'send_pdf' and 'send_pdf_front' AJAX functions if possible. Monitor for updates from StylemixThemes regarding a security patch. Avoid exposing the affected plugin on publicly accessible sites without additional protective controls.
CVE-2024-4787: CWE-20 Improper Input Validation in StylemixThemes Cost Calculator Builder PRO
Description
The Cost Calculator Builder PRO for WordPress is vulnerable to arbitrary email sending vulnerability in versions up to, and including, 3.1.75. This is due to insufficient limitations on the email recipient and the content in the 'send_pdf' and the 'send_pdf_front' functions which are reachable via AJAX. This makes it possible for unauthenticated attackers to send emails with any content to any recipient.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Cost Calculator Builder PRO plugin for WordPress versions up to 3.1.75 contains an improper input validation vulnerability (CWE-20) identified as CVE-2024-4787. This flaw exists in the 'send_pdf' and 'send_pdf_front' functions accessible via AJAX, which do not sufficiently restrict the email recipient or content parameters. As a result, unauthenticated attackers can send arbitrary emails to arbitrary recipients. The CVSS 3.1 base score is 5.8 (medium), reflecting network attack vector, no privileges required, no user interaction, scope changed, no confidentiality impact, limited integrity impact, and no availability impact. No known exploits in the wild or patches are currently documented.
Potential Impact
The vulnerability allows unauthenticated attackers to send arbitrary emails with any content to any recipient via the vulnerable plugin's AJAX endpoints. This can lead to misuse such as spam or phishing emails being sent from the affected WordPress site. There is no direct impact on confidentiality or availability, but the integrity of email communications can be compromised. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider disabling or restricting access to the 'send_pdf' and 'send_pdf_front' AJAX functions if possible. Monitor for updates from StylemixThemes regarding a security patch. Avoid exposing the affected plugin on publicly accessible sites without additional protective controls.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-05-10T20:17:46.254Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b96b7ef31ef0b556f2b
Added to database: 2/25/2026, 9:37:26 PM
Last enriched: 4/9/2026, 8:07:54 PM
Last updated: 4/12/2026, 3:40:02 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.