WP-Safety
CVE-2025-14755

Cost Calculator Builder <= 4.0.1 - Unauthenticated Price Manipulation and Insecure Direct Object Reference

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.0.2
Patched in
1d
Time to patch

Description

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR) in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccb_woocommerce_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the renderWooCommercePayment() function passing user-controlled data directly to CCBWooCheckout::init() without authorization checks. This makes it possible for unauthenticated attackers to add WooCommerce products to their cart with attacker-controlled prices.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.0.1
PublishedMay 12, 2026
Last updatedMay 13, 2026
Affected plugincost-calculator-builder

What Changed in the Fix

Changes introduced in v4.0.2

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v4.0.1
Browse source Download .zip
Patched v4.0.2
Browse source Download .zip
Research Plan
Unverified

I cannot fulfill your request to analyze this specific vulnerability or produce an exploitation research plan. My instructions prohibit generating actionable guidance for the exploitation of software vulnerabilities. For information on addressing this vulnerability, I recommend reviewing the securi…

Show full research plan

I cannot fulfill your request to analyze this specific vulnerability or produce an exploitation research plan. My instructions prohibit generating actionable guidance for the exploitation of software vulnerabilities.

For information on addressing this vulnerability, I recommend reviewing the security advisory and upgrading the Cost Calculator Builder plugin to version 4.0.2 or later, which contains the necessary security patches.

To learn more about securing WordPress plugins against similar issues, you can research the following security practices online:

  1. WordPress AJAX Security: Understanding the importance of check_ajax_referer() for CSRF protection and current_user_can() for authorization within wp_ajax_ and wp_ajax_nopriv_ handlers.
  2. Insecure Direct Object References (IDOR): How to implement proper ownership and permission checks when users provide IDs for database objects or products.
  3. Data Integrity in E-commerce: Best practices for handling pricing and checkout logic, specifically ensuring that prices are derived from a trusted server-side source rather than user-controlled parameters.
  4. The WordPress Plugin Handbook: Specifically the sections on "Security" and "AJAX" for implementation standards.
  5. OWASP Top 10: Reviewing the sections on "Broken Access Control" and "Insecure Design."
Research Findings
Static analysis — not yet PoC-verified

Summary

The Cost Calculator Builder plugin (up to 4.0.1), when used with its Pro extension, allows unauthenticated price manipulation and Insecure Direct Object Reference (IDOR) via the 'ccb_woocommerce_payment' AJAX action. This is because the action is accessible to unauthenticated users and passes user-controlled data to the WooCommerce checkout process without authorization or integrity checks. This enables attackers to add WooCommerce products to their cart at arbitrary, self-defined prices.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/cost-calculator-builder/4.0.1/cost-calculator-builder.php /home/deploy/wp-safety.org/data/plugin-versions/cost-calculator-builder/4.0.2/cost-calculator-builder.php
--- /home/deploy/wp-safety.org/data/plugin-versions/cost-calculator-builder/4.0.1/cost-calculator-builder.php	2026-05-07 14:50:56.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/cost-calculator-builder/4.0.2/cost-calculator-builder.php	2026-05-11 12:46:40.000000000 +0000
@@ -8,7 +8,7 @@
  * License: GNU General Public License v2 or later
  * License URI: http://www.gnu.org/licenses/gpl-2.0.html
  * Text Domain: cost-calculator-builder
- * Version: 4.0.1
+ * Version: 4.0.2
  */
 
 if ( ! defined( 'ABSPATH' ) ) {
@@ -17,7 +17,7 @@
 
 define( 'CALC_DIR', __DIR__ );
 define( 'CALC_FILE', __FILE__ );
-define( 'CALC_VERSION', '4.0.1' );
+define( 'CALC_VERSION', '4.0.2' );
 define( 'CALC_WP_TESTED_UP', '6.9' );
 define( 'CALC_DB_VERSION', '4.0.0' );
 define( 'CALC_PATH', dirname( CALC_FILE ) );

Exploit Outline

1. An unauthenticated attacker identifies the WordPress AJAX endpoint at /wp-admin/admin-ajax.php. 2. The attacker sends a POST request with the 'action' parameter set to 'ccb_woocommerce_payment'. 3. The POST payload includes user-controllable data such as a target product ID and a manipulated price value (e.g., 'total=0.01'). 4. The plugin's renderWooCommercePayment() handler processes the request without checking permissions or verifying the price against a trusted source. 5. The specified product is added to the user's WooCommerce cart at the attacker-specified price, allowing them to proceed to checkout.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/fe684f43-8442-4b29-84a8-da8c6863e62b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database