CVE-2025-14757 Overview
The Cost Calculator Builder plugin for WordPress contains an Unauthenticated Payment Status Bypass vulnerability affecting all versions up to and including 3.6.9 when used in combination with Cost Calculator Builder PRO. This vulnerability allows unauthenticated attackers to mark any order's payment status as "completed" without actual payment, effectively bypassing the e-commerce payment workflow entirely.
The vulnerability exists because the complete_payment AJAX action is registered via wp_ajax_nopriv, making it accessible to unauthenticated users. Additionally, the complete() function only verifies a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via window.ccb_nonces in the page source, any unauthenticated attacker can exploit this flaw.
Critical Impact
Attackers can bypass payment verification and mark orders as completed without paying, leading to potential financial losses for businesses using this plugin.
Affected Products
- Cost Calculator Builder plugin for WordPress (versions up to and including 3.6.9)
- Cost Calculator Builder PRO (when used in combination with the free version)
- WordPress installations utilizing Cost Calculator Builder for e-commerce functionality
Discovery Timeline
- 2026-01-16 - CVE CVE-2025-14757 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-14757
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), a fundamental access control flaw where the application fails to verify whether a user is authorized to perform a sensitive action. The complete_payment AJAX action is improperly exposed to unauthenticated users through WordPress's wp_ajax_nopriv hook, which is specifically designed for handling AJAX requests from users who are not logged in.
The critical failure lies in the complete() function within CCBOrderController.php, which only validates the presence of a nonce token without verifying user capabilities or confirming that the requesting user owns the order being modified. This creates a broken access control scenario where payment status can be manipulated by anyone who can extract the publicly exposed nonce values.
Root Cause
The root cause of this vulnerability is a missing authorization check in the payment completion workflow. While the plugin correctly implements nonce verification as a Cross-Site Request Forgery (CSRF) protection mechanism, it incorrectly assumes that nonce validation is sufficient for authorization. WordPress nonces are designed to prevent CSRF attacks, not to authorize users.
The exposure of nonces via the window.ccb_nonces JavaScript object in the page source makes them accessible to any visitor. Combined with the registration of the AJAX handler via wp_ajax_nopriv, this creates a complete bypass of payment verification. The plugin should have implemented proper capability checks using functions like current_user_can() and ownership verification to ensure only authorized parties can modify order statuses.
Attack Vector
An attacker can exploit this vulnerability by performing the following steps:
- Visit any page on the target WordPress site that loads the Cost Calculator Builder plugin
- Extract the nonce values from the window.ccb_nonces JavaScript object in the page source
- Send a crafted AJAX POST request to the WordPress admin-ajax.php endpoint with the complete_payment action
- Include the extracted nonce and a target order ID in the request
- The order's payment status will be changed to "completed" without any actual payment processing
This attack requires no authentication and can be executed remotely over the network. The vulnerability allows attackers to target any order ID, potentially affecting all transactions processed through the plugin.
Detection Methods for CVE-2025-14757
Indicators of Compromise
- Unusual volume of AJAX requests to admin-ajax.php with the complete_payment action from unauthenticated sessions
- Orders marked as "completed" without corresponding payment gateway transaction records
- Discrepancies between payment processor logs and WordPress order completion timestamps
- Web server logs showing POST requests to admin-ajax.php containing action=complete_payment from suspicious IP addresses
Detection Strategies
- Monitor WordPress AJAX endpoints for anomalous request patterns, particularly complete_payment actions from unauthenticated users
- Implement log correlation between payment gateway transaction logs and WordPress order status changes
- Deploy Web Application Firewall (WAF) rules to detect and alert on suspicious AJAX activity targeting payment functions
- Review plugin audit logs for order status modifications that lack corresponding payment confirmation events
Monitoring Recommendations
- Enable detailed logging for WordPress AJAX handlers, especially those related to payment processing
- Configure alerts for orders transitioning to "completed" status without payment gateway callbacks
- Monitor for high-frequency requests to admin-ajax.php from single IP addresses or user agents
- Implement financial reconciliation processes to identify orders completed without actual payments
How to Mitigate CVE-2025-14757
Immediate Actions Required
- Update Cost Calculator Builder plugin to a version newer than 3.6.9 immediately
- Audit all recent orders for payment status irregularities or missing payment gateway confirmations
- Temporarily disable the Cost Calculator Builder plugin if an update is not available and the business-critical nature permits
- Review server access logs for signs of exploitation targeting the complete_payment AJAX action
Patch Information
The vulnerability has been addressed in versions released after 3.6.9. The fix involves implementing proper authorization checks in the complete() function within CCBOrderController.php. For detailed information about the specific code changes, refer to the WordPress Plugin Change Log.
Additional technical details about the vulnerable code can be found in the Wordfence Vulnerability Report.
Workarounds
- Implement server-level access controls to restrict AJAX requests to authenticated users only where feasible
- Deploy WAF rules to block unauthenticated requests containing the complete_payment action parameter
- Add custom authorization checks through a mu-plugin or theme functions file that hooks into the AJAX action before the plugin processes it
- Consider implementing additional payment verification through direct payment gateway API reconciliation
# Example: Block suspicious AJAX requests in Apache .htaccess
# Add to WordPress root .htaccess before WordPress rewrite rules
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} /wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=complete_payment [NC,OR]
RewriteCond %{HTTP:X-Requested-With} ^$
RewriteRule ^ - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
