Skip to main content
CVE Vulnerability Database

CVE-2025-9243: Cost Calculator Builder Auth Bypass Flaw

CVE-2025-9243 is an authentication bypass vulnerability in Cost Calculator Builder plugin for WordPress that allows subscriber-level attackers to modify order status. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2025-9243 Overview

CVE-2025-9243 is a broken access control vulnerability in the Cost Calculator Builder plugin for WordPress. The flaw exists in all versions up to and including 3.5.32. The plugin fails to implement capability checks on the get_cc_orders and update_order_status functions. Authenticated attackers with Subscriber-level access or higher can read order data and modify order status without authorization. The issue is classified under CWE-862: Missing Authorization.

Critical Impact

Any authenticated user, including low-privilege Subscribers, can enumerate customer orders and alter order status on affected WordPress sites, breaking the confidentiality and integrity of e-commerce data.

Affected Products

  • Cost Calculator Builder plugin for WordPress, all versions through 3.5.32
  • WordPress sites using the plugin's order management functionality
  • E-commerce and service-quoting workflows relying on the plugin's REST endpoints

Discovery Timeline

  • 2025-10-04 - CVE-2025-9243 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9243

Vulnerability Analysis

The Cost Calculator Builder plugin exposes two server-side functions, get_cc_orders and update_order_status, that manage order records generated by the calculator. These handlers verify that a request originates from an authenticated user but do not verify that the user holds an administrative or shop-management capability. As a result, the authorization boundary between Subscribers and site operators collapses at these endpoints.

The Wordfence advisory and the CleanTalk analysis confirm the missing capability check pattern. The upstream fix is visible in the WordPress plugin changeset 3371684, which introduces capability enforcement before the affected handlers execute.

Root Cause

The root cause is a missing current_user_can() capability check inside the AJAX handlers for get_cc_orders and update_order_status. The functions rely on nonce validation and login state, but WordPress nonces prove request origin, not authorization level. Because Subscriber accounts can obtain valid nonces on any page they can view, the nonce-only guard is insufficient to prevent low-privilege abuse.

Attack Vector

An attacker registers or logs in as a Subscriber on a target WordPress site running a vulnerable version of the plugin. The attacker then issues authenticated AJAX or REST requests to the plugin's order endpoints. get_cc_orders returns order records, potentially including customer identifiers and pricing metadata. update_order_status accepts an order ID and a target status value, letting the attacker mark orders as paid, cancelled, or refunded. The exploit requires no user interaction from an administrator and executes over the network against the site's normal admin-ajax surface.

No public proof-of-concept exploit code is currently listed for this CVE. Refer to the WordPress plugin changeset for the exact code paths that received capability checks in the patched release.

Detection Methods for CVE-2025-9243

Indicators of Compromise

  • POST requests to admin-ajax.php with action=get_cc_orders or action=update_order_status originating from Subscriber-level user sessions
  • Unexpected changes to Cost Calculator Builder order status values in the WordPress database, particularly transitions initiated by non-administrator user IDs
  • New Subscriber account registrations followed shortly by requests targeting the plugin's order endpoints

Detection Strategies

  • Enable WordPress audit logging and correlate low-privilege user IDs with calls to Cost Calculator Builder AJAX actions
  • Deploy web application firewall rules that inspect action parameters in admin-ajax.php traffic and validate the requester's role server-side
  • Review database change logs for cost_calc_orders or equivalent tables to identify unauthorized status modifications

Monitoring Recommendations

  • Alert on any HTTP request to plugin order endpoints from accounts lacking manage_options or shop-manager capabilities
  • Monitor for spikes in Subscriber registrations on sites that do not typically accept public registration
  • Track outbound webhook or email notifications tied to order status changes to detect fraudulent state transitions

How to Mitigate CVE-2025-9243

Immediate Actions Required

  • Update the Cost Calculator Builder plugin to a version later than 3.5.32 that includes the capability-check fix from changeset 3371684
  • Disable public user registration on WordPress sites that do not require it, or restrict the default role to prevent Subscriber-level abuse
  • Audit existing order records for unauthorized status changes and reconcile against payment processor data

Patch Information

The plugin vendor addressed the vulnerability by adding capability checks to get_cc_orders and update_order_status. The fix is committed in WordPress plugin changeset 3371684. Site owners should apply the update through the WordPress plugin manager or WP-CLI. Confirm the installed version reports higher than 3.5.32 after the update.

Workarounds

  • Temporarily deactivate the Cost Calculator Builder plugin until the patched version is installed
  • Restrict access to admin-ajax.php for authenticated low-privilege users via WAF rules targeting the affected action parameters
  • Remove existing Subscriber accounts that are not required for site operation to reduce the attacker pool
bash
# Update the plugin via WP-CLI to remediate CVE-2025-9243
wp plugin update cost-calculator-builder
wp plugin get cost-calculator-builder --field=version

# Disable public registration if not needed
wp option update users_can_register 0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.