CVE-2025-14755: IDOR in Cost Calculator Builder WordPress Plugin
Plattform
wordpress
Komponente
cost-calculator-builder
Behoben in
4.0.2
CVE-2025-14755 affects the Cost Calculator Builder plugin for WordPress, specifically versions up to and including 4.0.1 when used in conjunction with Cost Calculator Builder PRO. This vulnerability allows unauthenticated attackers to manipulate prices within the WooCommerce integration. The issue stems from improper authorization checks within the plugin's AJAX handling, enabling unauthorized access. A fix is available in version 4.0.2.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Auswirkungen und Angriffsszenarien
An attacker exploiting this IDOR vulnerability can directly modify product prices within a WooCommerce store integrated with the Cost Calculator Builder plugin. This could lead to significant financial losses for the store owner and customers, as attackers could set prices to extremely low or high values. The lack of authentication required for this manipulation significantly broadens the attack surface, making it accessible to anyone with basic web browsing capabilities. Successful exploitation could also be used to manipulate discounts or other pricing-related features, further impacting the store's revenue and reputation. The potential for widespread impact is high, especially for e-commerce sites heavily reliant on WooCommerce and the Cost Calculator Builder plugin.
Ausnutzungskontext
CVE-2025-14755 has not been listed on KEV or EPSS as of this writing. The CVSS score of 5.3 indicates a Medium probability of exploitation. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's ease of exploitation suggests it could become a target for opportunistic attackers. The vulnerability was published on 2026-05-12.
Bedrohungsanalyse
Exploit-Status
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Keine — kein Vertraulichkeitseinfluss.
- Integrity
- Niedrig — Angreifer kann einige Daten mit begrenztem Umfang ändern.
- Availability
- Keine — kein Verfügbarkeitseinfluss.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserved
- Veröffentlicht
- Geändert
Mitigation und Workarounds
The primary mitigation for CVE-2025-14755 is to immediately upgrade the Cost Calculator Builder plugin to version 4.0.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the WooCommerce integration within the Cost Calculator Builder plugin. While not a complete solution, this will prevent direct price manipulation through the vulnerable AJAX endpoint. Web application firewalls (WAFs) can be configured to block requests to the ccbwoocommercepayment AJAX action from unauthenticated users. Monitor WooCommerce logs for suspicious price changes or unusual activity related to the Cost Calculator Builder plugin.
So beheben
Aktualisieren Sie auf Version 4.0.2 oder eine neuere gepatchte Version
Häufig gestellte Fragen
What is CVE-2025-14755 — IDOR in Cost Calculator Builder WordPress Plugin?
CVE-2025-14755 is a Medium severity IDOR vulnerability affecting the Cost Calculator Builder WordPress plugin versions up to 4.0.1 when used with Cost Calculator Builder PRO. It allows unauthenticated attackers to manipulate WooCommerce product prices.
Am I affected by CVE-2025-14755 in Cost Calculator Builder WordPress Plugin?
You are affected if you are using the Cost Calculator Builder plugin for WordPress in conjunction with Cost Calculator Builder PRO and are running version 4.0.1 or earlier.
How do I fix CVE-2025-14755 in Cost Calculator Builder WordPress Plugin?
Upgrade the Cost Calculator Builder plugin to version 4.0.2 or later. As a temporary workaround, disable the WooCommerce integration within the plugin until you can upgrade.
Is CVE-2025-14755 being actively exploited?
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation suggests it could become a target for attackers.
Where can I find the official Cost Calculator Builder advisory for CVE-2025-14755?
Refer to the official Cost Calculator Builder website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-14755.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Scannen Sie jetzt Ihr WordPress-Projekt – kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...