Cost Calculator Builder < 3.6.4 – Unauthenticated Arbitrary File Deletion | CVE 2025-12529 | Plugin Vulnerabilities

Description

The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and including, 3.6.3. This makes it possible for unauthenticated attackers to inject arbitrary file paths into the orders that are removed, when an administrator deletes them. This can lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability requires the Cost Calculator Builder Pro version to be installed along with the free version in order to be exploitable.

Affects Plugins

cost-calculator-builder

Fixed in 3.6.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4154684d-3f9b-418f-b9d1-a5d22d4d84d3

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

YC_Infosec

Verified

No

WPVDB ID

d34e5477-a74b-48e7-9b54-818cf31e5800

Timeline

Publicly Published

2025-12-01 (about 5 months ago)

Added

2025-12-01 (about 5 months ago)

Last Updated

2025-12-02 (about 5 months ago)

Other

Published

Title

Published

2023-03-28

Title

Easy Media Replace < 0.2.0 - Author+ File Deletion

Published

2023-12-26

Title

Media File Renamer < 5.7.8 - Admin+ Remote Code Execution

Published

2025-11-24

Title

AI Engine for WordPress: ChatGPT, GPT Content Generator <= 1.0.1 - Authenticated (Contributor+) Arbitrary File Read

Published

2025-12-20

Title

WPvivid Backup & Migration < 0.9.121 - Admin+ Arbitrary Directory Creation

Published

2024-12-20

Title

Easy Digital Downloads < 3.3.3 - Authenticated (Admin+) Arbitrary File Download