Cost Calculator Builder < 3.5.33 – Authenticated (Subscriber+) Missing Authorization via get_cc_orders/update_order_status Functions | CVE 2025-9243 | Plugin Vulnerabilities

Description

The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status.

Affects Plugins

cost-calculator-builder

Fixed in 3.5.33

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/aa46bdb3-6bbe-4f2f-8e1a-fbb54c5b39fd

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

1c09ba8c-4124-4b05-ad8c-d13c19fe7018

Timeline

Publicly Published

2025-10-03 (about 7 months ago)

Added

2025-10-03 (about 7 months ago)

Last Updated

2025-11-07 (about 6 months ago)

Other

Published

Title

Published

2024-11-18

Title

Google for WooCommerce < 2.8.7 - Information Disclosure via Publicly Accessible PHP Info File

Published

2024-12-18

Title

Computer Repair Shop < 3.8120 - Authenticated (Customer+) Privilege Esclation via Account Takeover

Published

2024-12-19

Title

Member Directory and Contact Form < 1.8.0 - Missing Authorization

Published

2026-02-18

Title

Ridhi < 1.1.3 - Missing Authorization

Published

2024-04-29

Title

Democracy Poll <= 6.1.1 - Missing Authorization