CVE-2025-66091 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the Design Stylish Cost Calculator plugin, specifically versions up to 8.1.5. This vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and executed in the victim's browser. Unlike reflected or stored XSS, DOM-based XSS occurs entirely on the client side, manipulating the Document Object Model without server-side sanitization. The CVSS score of 6.5 (medium severity) indicates that the attack vector is network-based (AV:N), requires low attack complexity (AC:L), but does require privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact includes partial loss of confidentiality, integrity, and availability, as attackers can execute arbitrary scripts to steal session tokens, manipulate page content, or cause denial of service. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to web applications using this plugin, especially those handling sensitive user data or financial transactions. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies. The vulnerability is particularly relevant for websites that incorporate the Stylish Cost Calculator plugin for cost estimation or pricing functionalities, common in e-commerce and service-oriented platforms.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive information such as user credentials, session cookies, or personal data, potentially violating GDPR requirements. The integrity of web content can be compromised, misleading users or injecting fraudulent content, which could damage brand reputation and customer trust. Availability might be affected if attackers leverage the vulnerability to perform denial-of-service attacks or disrupt normal application workflows. Organizations in sectors like e-commerce, finance, and online services that rely on the Stylish Cost Calculator plugin are at higher risk. Additionally, the requirement for user interaction means phishing or social engineering campaigns could be used to trigger exploitation. The cross-border nature of web applications means that attacks could originate from outside Europe, complicating incident response. Failure to address this vulnerability could result in regulatory penalties and financial losses due to fraud or data breaches.

1. Monitor for and apply vendor patches promptly once released to address CVE-2025-66091. 2. Until patches are available, implement strict input validation and output encoding on all user-supplied data processed by the plugin, focusing on sanitizing inputs that affect DOM manipulation. 3. Deploy Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and reduce the impact of XSS attacks. 4. Conduct thorough code reviews and penetration testing focusing on client-side scripts and DOM manipulation within the affected plugin. 5. Educate users and administrators about the risks of clicking untrusted links or interacting with suspicious content that could trigger XSS payloads. 6. Use web application firewalls (WAFs) with rules tailored to detect and block XSS attack patterns targeting the Stylish Cost Calculator plugin. 7. Isolate or sandbox the plugin’s execution context where possible to limit the scope of potential exploitation. 8. Maintain comprehensive logging and monitoring to detect anomalous behavior indicative of exploitation attempts.