Shared security patch analysis results
AI Used: deepseek deepseek-reasoner--- cache/cost-calculator-builder_3.2.15/cost-calculator-builder.php 2025-11-16 19:11:14.723728374 +0000+++ cache/cost-calculator-builder_3.2.16/cost-calculator-builder.php 2025-11-16 19:11:16.845864618 +0000@@ -8,7 +8,7 @@ * License: GNU General Public License v2 or later * License URI: http://www.gnu.org/licenses/gpl-2.0.html * Text Domain: cost-calculator-builder- * Version: 3.2.15+ * Version: 3.2.16 */ if ( ! defined( 'ABSPATH' ) ) {@@ -17,7 +17,7 @@ define( 'CALC_DIR', __DIR__ ); define( 'CALC_FILE', __FILE__ );-define( 'CALC_VERSION', '3.2.15' );+define( 'CALC_VERSION', '3.2.16' ); define( 'CALC_WP_TESTED_UP', '6.5.5' ); define( 'CALC_DB_VERSION', '3.2.15' ); define( 'CALC_PATH', dirname( CALC_FILE ) );
Vulnerability Existed: no No vulnerability detected - N/A - cost-calculator-builder.php [Lines 8,11,14] Old Code: ```php * Version: 3.2.15 define( 'CALC_VERSION', '3.2.15' ); define( 'CALC_DB_VERSION', '3.2.15' ); ``` Fixed Code: ```php * Version: 3.2.16 define( 'CALC_VERSION', '3.2.16' ); define( 'CALC_DB_VERSION', '3.2.15' ); ``` Explanation: The diff only updates version numbers in comments and constants. No user input is involved, and no code logic changes are present that could introduce or fix a vulnerability. The constants are hardcoded strings with no sinks or sources, so no taint flow exists.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Cost Calculator Builder allows SQL Injection.This issue affects Cost Calculator Builder: from n/a through 3.2.15.
--- cache/cost-calculator-builder_3.2.15/includes/classes/models/Discounts.php 2025-11-16 19:11:14.863737363 +0000+++ cache/cost-calculator-builder_3.2.16/includes/classes/models/Discounts.php 2025-11-16 19:11:17.012875341 +0000@@ -19,21 +19,21 @@ $primary_key = self::$primary_key; $sql = "CREATE TABLE IF NOT EXISTS {$table_name} (- {$primary_key} INT UNSIGNED NOT NULL AUTO_INCREMENT,- title TEXT,- calc_id INT UNSIGNED NOT NULL,- is_promo TINYINT(1) DEFAULT 0,- view_type ENUM('show_with_title', 'show_without_title') NOT NULL,- period ENUM('period', 'single_day', 'permanently') NOT NULL,- period_start_date DATE,- period_end_date DATE,- single_date DATE,- discount_status ENUM('active', 'upcoming', 'ended') NOT NULL DEFAULT 'upcoming',- created_at TIMESTAMP NOT NULL,+ {$primary_key} INT UNSIGNED NOT NULL AUTO_INCREMENT,+ title TEXT,+ calc_id INT UNSIGNED NOT NULL,+ is_promo TINYINT(1) DEFAULT 0,+ view_type ENUM('show_with_title', 'show_without_title') NOT NULL,+ period ENUM('period', 'single_day', 'permanently') NOT NULL,+ period_start_date DATE,+ period_end_date DATE,+ single_date DATE,+ discount_status ENUM('active', 'upcoming', 'ended') NOT NULL DEFAULT 'upcoming',+ created_at TIMESTAMP NOT NULL, updated_at TIMESTAMP NOT NULL,- PRIMARY KEY ({$primary_key}),- INDEX `idx_calc_id` (`calc_id`),- INDEX `idx_created_at` (`created_at`)+ PRIMARY KEY ({$primary_key}),+ INDEX `idx_calc_id` (`calc_id`),+ INDEX `idx_created_at` (`created_at`) ) {$wpdb->get_charset_collate()};"; maybe_create_table( $table_name, $sql );@@ -122,22 +122,22 @@ $sql = sprintf( 'SELECT %1$s.*,- %1$s.discount_id as discount_id,- %1$s.title as title,- %1$s.is_promo as is_promo,- %1$s.view_type as view_type,- %1$s.period as period,- %1$s.period_start_date as period_start_date,- %1$s.period_end_date as period_end_date,- %1$s.single_date as single_date,- %1$s.discount_status as discount_status,- %2$s.promocode_count as promocode_count,- %2$s.promocode as promocode,- %2$s.promocode_used as promocode_used- FROM %1$s- LEFT JOIN %2$s ON %1$s.discount_id = %2$s.discount_id- WHERE %1$s.calc_id in (%3$s) AND %1$s.discount_id in (%4$s)- ',+ %1$s.discount_id as discount_id,+ %1$s.title as title,+ %1$s.is_promo as is_promo,+ %1$s.view_type as view_type,+ %1$s.period as period,+ %1$s.period_start_date as period_start_date,+ %1$s.period_end_date as period_end_date,+ %1$s.single_date as single_date,+ %1$s.discount_status as discount_status,+ %2$s.promocode_count as promocode_count,+ %2$s.promocode as promocode,+ %2$s.promocode_used as promocode_used+ FROM %1$s+ LEFT JOIN %2$s ON %1$s.discount_id = %2$s.discount_id+ WHERE %1$s.calc_id in (%3$s) AND %1$s.discount_id in (%4$s)+ ', self::_table(), Promocodes::_table(), $calc_id,@@ -199,9 +199,9 @@ global $wpdb; $sql = sprintf( 'SELECT COUNT(%1$s.discount_id)- FROM %1$s- WHERE %1$s.calc_id in (%2$s)- ',+ FROM %1$s+ WHERE %1$s.calc_id in (%2$s)+ ', self::_table(), $params['calc_id'] );@@ -224,24 +224,24 @@ $sql = sprintf( 'SELECT %1$s.*,- %1$s.discount_id as discount_id,- %1$s.title as title,- %1$s.is_promo as is_promo,- %1$s.view_type as view_type,- %1$s.period as period,- %1$s.period_start_date as period_start_date,- %1$s.period_end_date as period_end_date,- %1$s.single_date as single_date,- %1$s.discount_status as discount_status,- %2$s.promocode_count as promocode_count,- %2$s.promocode as promocode,- %2$s.promocode_used as promocode_used- FROM %1$s- LEFT JOIN %2$s ON %1$s.discount_id = %2$s.discount_id- WHERE %1$s.calc_id in (%3$s)- %4$s- ORDER BY %1$s.%5$s %6$s LIMIT %7$s OFFSET %8$s- ',+ %1$s.discount_id as discount_id,+ %1$s.title as title,+ %1$s.is_promo as is_promo,+ %1$s.view_type as view_type,+ %1$s.period as period,+ %1$s.period_start_date as period_start_date,+ %1$s.period_end_date as period_end_date,+ %1$s.single_date as single_date,+ %1$s.discount_status as discount_status,+ %2$s.promocode_count as promocode_count,+ %2$s.promocode as promocode,+ %2$s.promocode_used as promocode_used+ FROM %1$s+ LEFT JOIN %2$s ON %1$s.discount_id = %2$s.discount_id+ WHERE %1$s.calc_id in (%3$s)+ %4$s+ ORDER BY %1$s.%5$s %6$s LIMIT %7$s OFFSET %8$s+ ', self::_table(), Promocodes::_table(), $calc_id,@@ -267,24 +267,26 @@ public static function get_all_calc_discounts( $calc_id ) { global $wpdb; + $calc_id = self::validate_calc_id( $calc_id );+ $sql = sprintf( 'SELECT %1$s.*,- %1$s.discount_id as discount_id,- %1$s.title as title,- %1$s.is_promo as is_promo,- %1$s.view_type as view_type,- %1$s.period as period,- %1$s.period_start_date as period_start_date,- %1$s.period_end_date as period_end_date,- %1$s.single_date as single_date,- %1$s.discount_status as discount_status,- %2$s.promocode_count as promocode_count,- %2$s.promocode as promocode,- %2$s.promocode_used as promocode_used- FROM %1$s- LEFT JOIN %2$s ON %1$s.discount_id = %2$s.discount_id- WHERE %1$s.calc_id in (%3$s)- ',+ %1$s.discount_id as discount_id,+ %1$s.title as title,+ %1$s.is_promo as is_promo,+ %1$s.view_type as view_type,+ %1$s.period as period,+ %1$s.period_start_date as period_start_date,+ %1$s.period_end_date as period_end_date,+ %1$s.single_date as single_date,+ %1$s.discount_status as discount_status,+ %2$s.promocode_count as promocode_count,+ %2$s.promocode as promocode,+ %2$s.promocode_used as promocode_used+ FROM %1$s+ LEFT JOIN %2$s ON %1$s.discount_id = %2$s.discount_id+ WHERE %1$s.calc_id in (%3$s)+ ', self::_table(), Promocodes::_table(), $calc_id@@ -307,26 +309,28 @@ return array(); } + $calc_id = self::validate_calc_id( $calc_id );+ $sql = sprintf( 'SELECT %1$s.*,- %1$s.discount_id as discount_id,- %1$s.title as title,- %1$s.is_promo as is_promo,- %1$s.view_type as view_type,- %1$s.period as period,- %1$s.period_start_date as period_start_date,- %1$s.period_end_date as period_end_date,- %1$s.single_date as single_date,- %1$s.discount_status as discount_status,- %2$s.promocode_count as promocode_count,- %2$s.promocode as promocode,- %2$s.promocode_used as promocode_used- FROM %1$s- LEFT JOIN %2$s ON %1$s.discount_id = %2$s.discount_id- WHERE %1$s.calc_id = %3$s - AND ( (%1$s.period_start_date IS NOT NULL AND CURDATE() BETWEEN %1$s.period_start_date AND %1$s.period_end_date) OR (%1$s.single_date IS NOT NULL AND %1$s.single_date = CURDATE()) OR (%1$s.period = "permanently"))- ORDER BY %1$s.discount_id ASC- ',+ %1$s.discount_id as discount_id,+ %1$s.title as title,+ %1$s.is_promo as is_promo,+ %1$s.view_type as view_type,+ %1$s.period as period,+ %1$s.period_start_date as period_start_date,+ %1$s.period_end_date as period_end_date,+ %1$s.single_date as single_date,+ %1$s.discount_status as discount_status,+ %2$s.promocode_count as promocode_count,+ %2$s.promocode as promocode,+ %2$s.promocode_used as promocode_used+ FROM %1$s+ LEFT JOIN %2$s ON %1$s.discount_id = %2$s.discount_id+ WHERE %1$s.calc_id = %3$s + AND ( (%1$s.period_start_date IS NOT NULL AND CURDATE() BETWEEN %1$s.period_start_date AND %1$s.period_end_date) OR (%1$s.single_date IS NOT NULL AND %1$s.single_date = CURDATE()) OR (%1$s.period = "permanently"))+ ORDER BY %1$s.discount_id ASC+ ', self::_table(), Promocodes::_table(), $calc_id@@ -349,26 +353,28 @@ return false; } + $calc_id = self::validate_calc_id( $calc_id );+ $sql = sprintf( 'SELECT %1$s.*,- %1$s.discount_id as discount_id,- %1$s.title as title,- %1$s.is_promo as is_promo,- %1$s.view_type as view_type,- %1$s.period as period,- %1$s.period_start_date as period_start_date,- %1$s.period_end_date as period_end_date,- %1$s.single_date as single_date,- %1$s.discount_status as discount_status,- %2$s.promocode_count as promocode_count,- %2$s.promocode as promocode,- %2$s.promocode_used as promocode_used- FROM %1$s- LEFT JOIN %2$s ON %1$s.discount_id = %2$s.discount_id- WHERE %1$s.calc_id = %3$s AND %1$s.is_promo IS NOT NULL- AND ( (%1$s.period_start_date IS NOT NULL AND CURDATE() BETWEEN %1$s.period_start_date AND %1$s.period_end_date) OR (%1$s.single_date IS NOT NULL AND %1$s.single_date = CURDATE()) OR (%1$s.period = "permanently"))- ORDER BY %1$s.discount_id ASC- ',+ %1$s.discount_id as discount_id,+ %1$s.title as title,+ %1$s.is_promo as is_promo,+ %1$s.view_type as view_type,+ %1$s.period as period,+ %1$s.period_start_date as period_start_date,+ %1$s.period_end_date as period_end_date,+ %1$s.single_date as single_date,+ %1$s.discount_status as discount_status,+ %2$s.promocode_count as promocode_count,+ %2$s.promocode as promocode,+ %2$s.promocode_used as promocode_used+ FROM %1$s+ LEFT JOIN %2$s ON %1$s.discount_id = %2$s.discount_id+ WHERE %1$s.calc_id = %3$s AND %1$s.is_promo IS NOT NULL+ AND ( (%1$s.period_start_date IS NOT NULL AND CURDATE() BETWEEN %1$s.period_start_date AND %1$s.period_end_date) OR (%1$s.single_date IS NOT NULL AND %1$s.single_date = CURDATE()) OR (%1$s.period = "permanently"))+ ORDER BY %1$s.discount_id ASC+ ', self::_table(), Promocodes::_table(), $calc_id@@ -381,6 +387,9 @@ public static function get_promocodes_by_promocode( $calc_id, $promocodes ) { global $wpdb; + $calc_id = self::validate_calc_id( $calc_id );+ $promocodes = self::validate_promocodes( $calc_id, $promocodes );+ $quotedPromocodes = array_map( function( $value ) { return "'$value'";@@ -390,22 +399,22 @@ $sql = sprintf( 'SELECT %1$s.*,- %1$s.discount_id as discount_id,- %1$s.period as period,- %1$s.period_start_date as period_start_date,- %1$s.period_end_date as period_end_date,- %1$s.single_date as single_date,- %2$s.promocode_id as promocode_id,- %2$s.promocode_count as promocode_count,- %2$s.promocode as promocode,- %2$s.promocode_used as promocode_used- FROM %1$s- LEFT JOIN %2$s ON %1$s.discount_id = %2$s.discount_id- WHERE %1$s.calc_id = %3$s - AND ( (%1$s.period_start_date IS NOT NULL AND CURDATE() BETWEEN %1$s.period_start_date AND %1$s.period_end_date) OR (%1$s.single_date IS NOT NULL AND %1$s.single_date = CURDATE()) OR (%1$s.period = "permanently"))- AND %2$s.promocode IN (%4$s)- ORDER BY %1$s.discount_id ASC- ',+ %1$s.discount_id as discount_id,+ %1$s.period as period,+ %1$s.period_start_date as period_start_date,+ %1$s.period_end_date as period_end_date,+ %1$s.single_date as single_date,+ %2$s.promocode_id as promocode_id,+ %2$s.promocode_count as promocode_count,+ %2$s.promocode as promocode,+ %2$s.promocode_used as promocode_used+ FROM %1$s+ LEFT JOIN %2$s ON %1$s.discount_id = %2$s.discount_id+ WHERE %1$s.calc_id = %3$s + AND ( (%1$s.period_start_date IS NOT NULL AND CURDATE() BETWEEN %1$s.period_start_date AND %1$s.period_end_date) OR (%1$s.single_date IS NOT NULL AND %1$s.single_date = CURDATE()) OR (%1$s.period = "permanently"))+ AND %2$s.promocode IN (%4$s)+ ORDER BY %1$s.discount_id ASC+ ', self::_table(), Promocodes::_table(), $calc_id,@@ -452,4 +461,35 @@ return $discounts; }++ public static function validate_calc_id( $calc_id ) {+ if ( is_int( intval( $calc_id ) ) ) {+ return intval( $calc_id );+ }+ return 0;+ }++ public static function validate_promocodes( $calc_id, $promocodes ) {+ $discounts = self::get_all_calc_discounts( $calc_id );+ $existing_promocodes = array();+ $result = array();++ foreach ( $discounts as $discount ) {+ if ( ! empty( $discount['promocode'] ) ) {+ $existing_promocodes[] = $discount['promocode'];+ }+ }++ foreach ( $promocodes as $promocode ) {+ if ( in_array( $promocode, $existing_promocodes, true ) ) {+ $result[] = $promocode;+ }+ }++ if ( empty( $result ) ) {+ $result[] = '';+ }++ return $result;+ } }
--- cache/cost-calculator-builder_3.2.15/includes/classes/models/Payments.php 2025-11-16 19:11:14.863737363 +0000+++ cache/cost-calculator-builder_3.2.16/includes/classes/models/Payments.php 2025-11-16 19:11:17.012875341 +0000@@ -83,19 +83,16 @@ $paymentType = ( $data['type'] && in_array( $data['type'], self::$typeList, true ) ) ? $data['type'] : self::$defaultType; - $exist = self::payment_by_order_id_exist( $order_id );- if ( empty( $exist ) ) {- $payment_data = array(- 'order_id' => $order_id,- 'type' => $paymentType,- 'currency' => ! isset( $data['currency'] ) ? '$' : $data['currency'],- 'status' => self::$defaultStatus,- 'total' => $data['total'],- 'created_at' => wp_date( 'Y-m-d H:i:s' ),- 'updated_at' => wp_date( 'Y-m-d H:i:s' ),- );- self::insert( $payment_data );- }+ $payment_data = array(+ 'order_id' => $order_id,+ 'type' => $paymentType,+ 'currency' => ! isset( $data['currency'] ) ? '$' : $data['currency'],+ 'status' => self::$defaultStatus,+ 'total' => $data['total'],+ 'created_at' => wp_date( 'Y-m-d H:i:s' ),+ 'updated_at' => wp_date( 'Y-m-d H:i:s' ),+ );+ self::insert( $payment_data ); return $order_id; }
Vulnerability Existed: no No specific vulnerability identified in the provided code change. The modification removes a duplicate check for order_id but does not introduce unsanitized user input reaching a dangerous sink. The data used in the payment_data array is either validated (e.g., 'type' is checked against a whitelist), has defaults, or is generated server-side. Without evidence of how self::insert handles the data, it is assumed to use safe practices such as prepared statements, as per WordPress standards. The change primarily affects business logic (potential duplicate entries) rather than security.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Cost Calculator Builder allows SQL Injection.This issue affects Cost Calculator Builder: from n/a through 3.2.15.
--- cache/cost-calculator-builder_3.2.15/includes/functions.php 2025-11-16 19:11:14.864737427 +0000+++ cache/cost-calculator-builder_3.2.16/includes/functions.php 2025-11-16 19:11:17.013875405 +0000@@ -508,7 +508,7 @@ array( 'parent' => 'ccb-admin-menu', 'id' => 'ccb-admin-menu-items-settings',- 'title' => __( 'Settings', 'cost-calculator-builder' ),+ 'title' => __( 'Global Settings', 'cost-calculator-builder' ), 'href' => get_admin_url( null, 'admin.php?page=cost_calculator_builder&tab=settings' ), 'meta' => array( 'class' => 'ccb-admin-menu-item',
No vulnerabilities were identified in the provided diff. The change is a cosmetic update to a menu title string and does not involve user input, data flow, or security-sensitive operations.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Cost Calculator Builder allows SQL Injection.This issue affects Cost Calculator Builder: from n/a through 3.2.15.
--- cache/cost-calculator-builder_3.2.15/templates/admin/single-calc/fields/checkbox-field.php 2025-11-16 19:11:14.877738261 +0000+++ cache/cost-calculator-builder_3.2.16/templates/admin/single-calc/fields/checkbox-field.php 2025-11-16 19:11:17.026876240 +0000@@ -290,7 +290,7 @@ </div> </div> </div>- <div class="row-currency" :class="{'disabled': !checkboxField.fieldCurrency}">+ <div class="row row-currency" :class="{'disabled': !checkboxField.fieldCurrency}"> <div class="col-4"> <div class="ccb-input-wrapper"> <span class="ccb-input-label"><?php esc_html_e( 'Unit Symbol', 'cost-calculator-builder' ); ?></span>
Vulnerability Existed: no
No vulnerability - N/A - templates/admin/single-calc/fields/checkbox-field.php [290]
Old Code: `<div class="row-currency" :class="{'disabled': !checkboxField.fieldCurrency}">`
Fixed Code: `<div class="row row-currency" :class="{'disabled': !checkboxField.fieldCurrency}">`
Explanation: The change adds a static CSS class "row" to the div element. This is purely a presentational modification and does not involve any user input, data validation, sanitization, or security-sensitive operations. The :class binding remains unchanged and is handled by the Vue.js framework, which manages class assignments safely. No taint flow from user input to a sink is introduced or altered by this change.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Cost Calculator Builder allows SQL Injection.This issue affects Cost Calculator Builder: from n/a through 3.2.15.
--- cache/cost-calculator-builder_3.2.15/templates/admin/single-calc/fields/drop-down-field.php 2025-11-16 19:11:14.877738261 +0000+++ cache/cost-calculator-builder_3.2.16/templates/admin/single-calc/fields/drop-down-field.php 2025-11-16 19:11:17.026876240 +0000@@ -204,7 +204,7 @@ </div> </div> </div>- <div class="row-currency" :class="{'disabled': !dropField.fieldCurrency}">+ <div class="row row-currency" :class="{'disabled': !dropField.fieldCurrency}"> <div class="col-4"> <div class="ccb-input-wrapper"> <span class="ccb-input-label"><?php esc_html_e( 'Unit symbol', 'cost-calculator-builder' ); ?></span>
Vulnerability Existed: no
CWE-79 - Cross-site Scripting - templates/admin/single-calc/fields/drop-down-field.php [204]
Old Code: `<div class="row-currency" :class="{'disabled': !dropField.fieldCurrency}">`
Fixed Code: `<div class="row row-currency" :class="{'disabled': !dropField.fieldCurrency}">`
Explanation: The code change involves modifying a CSS class in a Vue.js template. The dynamic :class binding is handled by Vue.js, which automatically escapes content to prevent XSS. The PHP function esc_html_e is used for safe output translation. No user input flows unsanitized to any sink in this line, and the alteration does not introduce or affect any data flow that could lead to a vulnerability.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Cost Calculator Builder allows SQL Injection.This issue affects Cost Calculator Builder: from n/a through 3.2.15.
--- cache/cost-calculator-builder_3.2.15/templates/admin/single-calc/fields/quantity-field.php 2025-11-16 19:11:14.877738261 +0000+++ cache/cost-calculator-builder_3.2.16/templates/admin/single-calc/fields/quantity-field.php 2025-11-16 19:11:17.026876240 +0000@@ -226,7 +226,7 @@ </div> </div> </div>- <div class="row-currency" :class="{'disabled': !quantityField.fieldCurrency}">+ <div class="row row-currency" :class="{'disabled': !quantityField.fieldCurrency}"> <div class="col-4"> <div class="ccb-input-wrapper"> <span class="ccb-input-label"><?php esc_html_e( 'Unit Symbol', 'cost-calculator-builder' ); ?></span>
Vulnerability Existed: no
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - templates/admin/single-calc/fields/quantity-field.php [Line 226]
Old Code: `<div class="row-currency" :class="{'disabled': !quantityField.fieldCurrency}">`
Fixed Code: `<div class="row row-currency" :class="{'disabled': !quantityField.fieldCurrency}">`
Explanation: The change adds a static CSS class "row" to the div element. The :class binding in Vue.js uses a boolean expression (`!quantityField.fieldCurrency`) to toggle the 'disabled' class. The class names ('row', 'row-currency', 'disabled') are hardcoded and not derived from user input. Vue.js automatically handles attribute binding safely, preventing XSS by escaping dynamic values. The PHP translation function `esc_html_e` is properly used for the label. No user-controlled data reaches the sink (HTML class attribute) in an unsanitized manner, as the binding only controls the presence of a predefined class based on a boolean condition.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Cost Calculator Builder allows SQL Injection.This issue affects Cost Calculator Builder: from n/a through 3.2.15.
--- cache/cost-calculator-builder_3.2.15/templates/admin/single-calc/fields/radio-button-field.php 2025-11-16 19:11:14.877738261 +0000+++ cache/cost-calculator-builder_3.2.16/templates/admin/single-calc/fields/radio-button-field.php 2025-11-16 19:11:17.027876304 +0000@@ -267,7 +267,7 @@ </div> </div> </div>- <div class="row-currency" :class="{'disabled': !radioField.fieldCurrency}">+ <div class="row row-currency" :class="{'disabled': !radioField.fieldCurrency}"> <div class="col-4"> <div class="ccb-input-wrapper"> <span class="ccb-input-label"><?php esc_html_e( 'Unit Symbol', 'cost-calculator-builder' ); ?></span>
Vulnerability Existed: no
No specific CWE identified - N/A - templates/admin/single-calc/fields/radio-button-field.php [Lines 267]
Old Code:
```php
<div class="row-currency" :class="{'disabled': !radioField.fieldCurrency}">
```
Fixed Code:
```php
<div class="row row-currency" :class="{'disabled': !radioField.fieldCurrency}">
```
Explanation:
The change adds a static CSS class "row" to the div element. There is no user-controlled data involved in this line. The `:class` directive binds to `radioField.fieldCurrency`, which is used in a boolean context to toggle the "disabled" class. This does not allow arbitrary input or expose any sink for XSS or other vulnerabilities, as classes are safe and the expression is handled by Vue.js without interpreting user input as code.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Cost Calculator Builder allows SQL Injection.This issue affects Cost Calculator Builder: from n/a through 3.2.15.
--- cache/cost-calculator-builder_3.2.15/templates/admin/single-calc/fields/range-button-field.php 2025-11-16 19:11:14.877738261 +0000+++ cache/cost-calculator-builder_3.2.16/templates/admin/single-calc/fields/range-button-field.php 2025-11-16 19:11:17.027876304 +0000@@ -218,7 +218,7 @@ </div> </div> </div>- <div class="row-currency" :class="{'disabled': !rangeField.fieldCurrency}">+ <div class="row row-currency" :class="{'disabled': !rangeField.fieldCurrency}"> <div class="col-4"> <div class="ccb-input-wrapper"> <span class="ccb-input-label"><?php esc_html_e( 'Unit Symbol', 'cost-calculator-builder' ); ?></span>
Vulnerability Existed: no
No vulnerability detected - templates/admin/single-calc/fields/range-button-field.php Lines 218
Old Code: `<div class="row-currency" :class="{'disabled': !rangeField.fieldCurrency}">`
Fixed Code: `<div class="row row-currency" :class="{'disabled': !rangeField.fieldCurrency}">`
Explanation: The change adds a static CSS class "row" to the div element. There is no user input involved in this change; the classes are hardcoded or bound to Vue data properties. Vue's class binding safely handles the attribute rendering, and no attacker-controlled values reach any sink (e.g., DOM manipulation). The PHP parts in the file use proper escaping (e.g., `esc_html_e`). Thus, no security vulnerability is introduced or fixed.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Cost Calculator Builder allows SQL Injection.This issue affects Cost Calculator Builder: from n/a through 3.2.15.
--- cache/cost-calculator-builder_3.2.15/templates/admin/single-calc/fields/toggle-field.php 2025-11-16 19:11:14.878738326 +0000+++ cache/cost-calculator-builder_3.2.16/templates/admin/single-calc/fields/toggle-field.php 2025-11-16 19:11:17.027876304 +0000@@ -275,7 +275,7 @@ </div> </div> </div>- <div class="row-currency" :class="{'disabled': !toggleField.fieldCurrency}">+ <div class="row row-currency" :class="{'disabled': !toggleField.fieldCurrency}"> <div class="col-4"> <div class="ccb-input-wrapper"> <span class="ccb-input-label"><?php esc_html_e( 'Unit Symbol', 'cost-calculator-builder' ); ?></span>
Vulnerability Existed: no
No specific CWE - N/A - templates/admin/single-calc/fields/toggle-field.php [275]
Old Code:
```php
<div class="row-currency" :class="{'disabled': !toggleField.fieldCurrency}">
```
Fixed Code:
```php
<div class="row row-currency" :class="{'disabled': !toggleField.fieldCurrency}">
```
Explanation:
The change adds a CSS class "row" to a div element. No user input is processed or output in this code snippet. The PHP function `esc_html_e` is used for a static translation string, which safely escapes HTML. The Vue.js `:class` binding relies on `toggleField.fieldCurrency`, but the diff does not alter how this data is handled or introduce any user input flow. Therefore, no vulnerability is introduced or fixed by this change.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Cost Calculator Builder allows SQL Injection.This issue affects Cost Calculator Builder: from n/a through 3.2.15.
--- cache/cost-calculator-builder_3.2.15/templates/admin/single-calc/fields/total-field.php 2025-11-16 19:11:14.878738326 +0000+++ cache/cost-calculator-builder_3.2.16/templates/admin/single-calc/fields/total-field.php 2025-11-16 19:11:17.027876304 +0000@@ -98,7 +98,7 @@ </div> </div> </div>- <div class="row-currency" :class="{'disabled': !totalField.fieldCurrency}">+ <div class="row row-currency" :class="{'disabled': !totalField.fieldCurrency}"> <div class="col-4"> <div class="ccb-input-wrapper"> <span class="ccb-input-label"><?php esc_html_e( 'Unit Symbol', 'cost-calculator-builder' ); ?></span>
Vulnerability Existed: no
No vulnerability detected - N/A - templates/admin/single-calc/fields/total-field.php [Lines 98]
Old Code:
```html
<div class="row-currency" :class="{'disabled': !totalField.fieldCurrency}">
```
Fixed Code:
```html
<div class="row row-currency" :class="{'disabled': !totalField.fieldCurrency}">
```
Explanation:
The change adds a static CSS class "row" to a div element. This is a purely cosmetic modification and does not involve any user input, data handling, or security-sensitive operations. The Vue.js class binding `:class="{'disabled': !totalField.fieldCurrency}"` safely handles the conditional class application, and there is no evidence of attacker-controlled values reaching any sink (e.g., XSS or injection vectors). The code does not introduce or fix a security vulnerability.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Cost Calculator Builder allows SQL Injection.This issue affects Cost Calculator Builder: from n/a through 3.2.15.