CVE-2025-14755: IDOR in Cost Calculator Builder WordPress Plugin
Platform
wordpress
Component
cost-calculator-builder
Opgelost in
4.0.2
CVE-2025-14755 is an Insecure Direct Object Reference (IDOR) vulnerability affecting the Cost Calculator Builder plugin for WordPress. This vulnerability allows unauthenticated attackers to manipulate pricing and initiate unauthorized WooCommerce payments. The issue impacts versions 0.0.0 through 4.0.1 when used in conjunction with the Cost Calculator Builder PRO plugin, and a fix is available in version 4.0.2.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
An attacker exploiting this IDOR vulnerability can bypass authentication and directly manipulate the prices displayed and used within the Cost Calculator Builder plugin. Because the vulnerability affects WooCommerce payment processing, attackers could potentially initiate fraudulent transactions, leading to financial losses for users or businesses. The lack of authorization checks in the renderWooCommercePayment() function allows attackers to directly call CCBWooCheckout::init() with crafted data, effectively controlling the payment process without proper validation. This could also be leveraged to gain access to sensitive WooCommerce data or potentially escalate privileges within the WordPress environment, depending on the plugin's integration and permissions.
Uitbuitingscontextwordt vertaald…
CVE-2025-14755 was published on 2026-05-13. Severity is currently pending full evaluation. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests it could be easily exploited. Monitor security advisories and threat intelligence feeds for potential exploitation campaigns targeting WordPress installations using the Cost Calculator Builder plugin.
Dreigingsinformatie
Exploit Status
EPSS
0.03% (10% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Geen — geen vertrouwelijkheidsimpact.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-14755 is to immediately upgrade the Cost Calculator Builder plugin to version 4.0.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the Cost Calculator Builder PRO plugin to prevent unauthorized payment manipulation. Implement a Web Application Firewall (WAF) rule to block requests to the ccbwoocommercepayment AJAX action from unauthenticated users. Review and restrict file permissions for the plugin's directory to limit potential attacker access. After upgrading, verify the fix by attempting to manipulate prices through an unauthenticated session and confirming that the changes are rejected.
Hoe te verhelpen
Update naar versie 4.0.2, of een nieuwere gepatchte versie
Veelgestelde vragenwordt vertaald…
What is CVE-2025-14755 — IDOR in Cost Calculator Builder WordPress Plugin?
CVE-2025-14755 is an Insecure Direct Object Reference (IDOR) vulnerability in the Cost Calculator Builder WordPress plugin, affecting versions 0.0.0–4.0.1 when used with Cost Calculator Builder PRO. It allows unauthenticated users to manipulate prices and initiate unauthorized WooCommerce payments.
Am I affected by CVE-2025-14755 in Cost Calculator Builder WordPress Plugin?
You are affected if your WordPress website uses the Cost Calculator Builder plugin and the Cost Calculator Builder PRO extension, and you are running a version prior to 4.0.2. Immediately check your plugin versions.
How do I fix CVE-2025-14755 in Cost Calculator Builder WordPress Plugin?
Upgrade the Cost Calculator Builder plugin to version 4.0.2 or later. If immediate upgrade is not possible, temporarily disable the Cost Calculator Builder PRO plugin.
Is CVE-2025-14755 being actively exploited?
While no active exploitation campaigns have been publicly confirmed, the vulnerability's nature makes it likely to be targeted. Monitor your systems and security feeds for any suspicious activity.
Where can I find the official Cost Calculator Builder advisory for CVE-2025-14755?
Refer to the official Cost Calculator Builder website and WordPress plugin repository for the latest security advisory and update information regarding CVE-2025-14755.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Scan nu uw WordPress project — geen account
Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.
Sleep uw afhankelijkheidsbestand hierheen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...