CVE-2025-9243
📋 TL;DR
The Cost Calculator Builder plugin for WordPress has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to modify order statuses and access order management functions. This affects all WordPress sites using vulnerable versions of the plugin. Attackers can manipulate order data without proper permissions.
💻 Affected Systems
- WordPress Cost Calculator Builder plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate financial records, cancel legitimate orders, mark fraudulent orders as completed, or disrupt business operations by mass-modifying order statuses.
Likely Case
Unauthorized users modifying order statuses to disrupt business operations, mark test orders as completed, or manipulate order tracking data.
If Mitigated
With proper access controls and monitoring, impact is limited to minor data integrity issues that can be detected and corrected.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is publicly documented with code changes visible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.33 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3371684/cost-calculator-builder
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Cost Calculator Builder'
4. Click 'Update Now' if update is available
5. Alternatively, download version 3.5.33+ from WordPress plugin repository
6. Deactivate and delete old version, then upload and activate new version
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDeactivate the vulnerable plugin until patched version is available
wp plugin deactivate cost-calculator-builder
Role-Based Access Restriction
allTemporarily restrict Subscriber role capabilities using WordPress role management plugins
🧯 If You Can't Patch
- Implement strict monitoring of order status changes and user activity logs
- Apply network-level restrictions to limit access to WordPress admin areas from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins, find Cost Calculator Builder and verify version is 3.5.32 or lowerCheck Version:
wp plugin get cost-calculator-builder --field=versionVerify Fix Applied:
After update, verify plugin version shows 3.5.33 or higher in WordPress plugins list📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST requests to /wp-admin/admin-ajax.php with action=get_cc_orders or update_order_status
- Unexpected order status changes from non-admin users
- User role escalation attempts
Network Indicators:
- Increased admin-ajax.php requests from non-admin user accounts
- Pattern of order status modification requests
SIEM Query:
source="wordpress.log" AND ("get_cc_orders" OR "update_order_status") AND user_role!="administrator" AND user_role!="shop_manager"