The vulnerability identified as CVE-2025-66091 affects the Design Stylish Cost Calculator plugin, a tool commonly integrated into websites to provide cost calculation functionalities. The issue is a DOM-based Cross-site Scripting (XSS) vulnerability caused by improper neutralization of input during web page generation. Specifically, the plugin fails to adequately sanitize or encode user-supplied input before it is processed and rendered in the browser's Document Object Model (DOM). This flaw allows attackers to inject malicious JavaScript code that executes in the context of the victim's browser session. Unlike reflected or stored XSS, DOM-based XSS occurs entirely on the client side, making detection and mitigation more challenging. The affected versions include all releases up to 8.1.5, with no patch currently linked or available at the time of publication. Exploitation typically requires an attacker to craft a malicious URL or input that, when visited or interacted with by a user, triggers the execution of the injected script. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, and unauthorized actions performed on behalf of the user. Although no known exploits are reported in the wild, the vulnerability's presence in a widely used plugin poses a significant risk. The lack of a CVSS score necessitates an assessment based on the vulnerability's characteristics: it impacts confidentiality and integrity, requires no authentication but does require user interaction, and affects a broad user base due to the plugin's popularity. The vulnerability is classified as high severity due to these factors.

For European organizations, the impact of CVE-2025-66091 can be substantial, particularly for those relying on the Stylish Cost Calculator plugin in their web infrastructure. Successful exploitation could compromise the confidentiality of user data by enabling attackers to steal session cookies, login credentials, or other sensitive information accessible via the browser. Integrity may also be affected as attackers could manipulate client-side data or perform unauthorized actions on behalf of users, potentially leading to fraudulent transactions or data corruption. The availability impact is generally low for XSS, but reputational damage and loss of customer trust can be significant. Sectors such as e-commerce, financial services, and any business offering online cost estimation tools are at heightened risk. Additionally, regulatory frameworks like GDPR impose strict requirements on data protection, and exploitation of this vulnerability could lead to compliance violations and associated penalties. The risk is amplified in environments where users have elevated privileges or where the plugin is integrated with other critical systems.

1. Monitor for official patches or updates from the vendor and apply them immediately once available. 2. In the absence of patches, implement strict input validation and output encoding on all user-supplied data processed by the plugin to neutralize potentially malicious scripts. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the attack surface for XSS. 4. Conduct thorough code reviews and security testing of the plugin integration to identify and remediate unsafe DOM manipulations. 5. Educate users about the risks of clicking unknown or suspicious links that could trigger XSS attacks. 6. Use web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the affected plugin. 7. Consider isolating or sandboxing the plugin's functionality to limit the scope of potential script execution. 8. Regularly audit and monitor web application logs for unusual activity indicative of exploitation attempts.