CVE-2025-14757
📋 TL;DR
This vulnerability allows unauthenticated attackers to mark any order's payment status as 'completed' without actual payment in WordPress sites using Cost Calculator Builder plugin with PRO version. Attackers can exploit exposed nonces in page source to bypass payment verification. All WordPress sites using vulnerable plugin configurations are affected.
💻 Affected Systems
- WordPress Cost Calculator Builder plugin
- WordPress Cost Calculator Builder PRO plugin
📦 What is this software?
Cost Calculator Builder by Stylemixthemes
⚠️ Risk & Real-World Impact
Worst Case
Mass fraudulent order completions leading to financial loss, inventory depletion, and business disruption as attackers can mark unpaid orders as paid.
Likely Case
Individual fraudulent order completions causing revenue loss and order fulfillment errors for affected businesses.
If Mitigated
Limited impact if proper order verification processes exist, but still creates audit trail issues and potential data integrity problems.
🎯 Exploit Status
Exploitation requires only web access and basic understanding of AJAX calls; nonces are exposed in page source making exploitation straightforward
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.0 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3437516/cost-calculator-builder/trunk/includes/classes/CCBOrderController.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Cost Calculator Builder' and 'Cost Calculator Builder PRO'
4. Click 'Update Now' for both plugins
5. Verify both plugins are version 3.7.0 or higher
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove the vulnerable AJAX action registration to prevent unauthenticated access
Add to theme's functions.php or custom plugin:
add_action('init', function() {
remove_action('wp_ajax_nopriv_complete_payment', 'complete_payment_callback');
remove_action('wp_ajax_complete_payment', 'complete_payment_callback');
});
Temporarily disable plugin
linuxDeactivate Cost Calculator Builder plugins until patched
wp plugin deactivate cost-calculator-builder cost-calculator-builder-pro
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to /wp-admin/admin-ajax.php with action=complete_payment
- Add server-side validation to verify actual payment before marking orders as completed
🔍 How to Verify
Check if Vulnerable:
Check if /wp-admin/admin-ajax.php accepts POST requests with action=complete_payment without authentication and if window.ccb_nonces exists in page sourceCheck Version:
wp plugin get cost-calculator-builder --field=versionVerify Fix Applied:
Verify plugin version is 3.7.0+ and test that unauthenticated requests to complete_payment AJAX endpoint are properly rejected📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=complete_payment from unauthenticated IPs
- Unusual order status changes from 'pending' to 'completed' without corresponding payment records
Network Indicators:
- HTTP POST requests to admin-ajax.php with complete_payment parameter from external IPs
- Lack of authentication headers in AJAX requests to payment endpoints
SIEM Query:
source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND http_method="POST" AND form_data.action="complete_payment" AND user_agent!="WordPress/*"🔗 References
- https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBAjaxAction.php#L98
- https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBOrderController.php#L408
- https://plugins.trac.wordpress.org/changeset/3437516/cost-calculator-builder/trunk/includes/classes/CCBOrderController.php?old=3426823&old_path=cost-calculator-builder%2Ftrunk%2Fincludes%2Fclasses%2FCCBOrderController.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b8415e5f-17a4-425c-ac28-5dd886d1bcf1?source=cve
