CVE-2025-14755: IDOR in Cost Calculator Builder WordPress Plugin

An attacker exploiting this IDOR vulnerability can bypass authentication and directly manipulate the prices displayed and used within the Cost Calculator Builder plugin. Because the vulnerability affects WooCommerce payment processing, attackers could potentially initiate fraudulent transactions, leading to financial losses for users or businesses. The lack of authorization checks in the renderWooCommercePayment() function allows attackers to directly call CCBWooCheckout::init() with crafted data, effectively controlling the payment process without proper validation. This could also be leveraged to gain access to sensitive WooCommerce data or potentially escalate privileges within the WordPress environment, depending on the plugin's integration and permissions.

1. आरक्षित2025-12-15
2. प्रकाशित2026-05-12
3. संशोधित2026-05-13

The primary mitigation for CVE-2025-14755 is to immediately upgrade the Cost Calculator Builder plugin to version 4.0.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the Cost Calculator Builder PRO plugin to prevent unauthorized payment manipulation. Implement a Web Application Firewall (WAF) rule to block requests to the ccbwoocommercepayment AJAX action from unauthenticated users. Review and restrict file permissions for the plugin's directory to limit potential attacker access. After upgrading, verify the fix by attempting to manipulate prices through an unauthenticated session and confirming that the changes are rejected.