Description
The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and including, 3.6.3. This makes it possible for unauthenticated attackers to inject arbitrary file paths into the orders that are removed, when an administrator deletes them. This can lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability requires the Cost Calculator Builder Pro version to be installed along with the free version in order to be exploitable.
Published: 2025-12-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Cost Calculator Builder plugin for WordPress contains a flaw that lets an attacker delete any file on the server when an administrator removes order records. The flaw arises from insufficient path validation in the deleteOrdersFiles routine, which can be triggered by unauthenticated HTTP requests. If a critical file—such as the site’s configuration—is deleted, the attacker can achieve remote code execution by causing the application to load a controlled state or by dropping a malicious file into a writable directory.

Affected Systems

WordPress installations running Cost Calculator Builder version 3.6.3 or earlier, with the Pro add‑on installed alongside the free plugin. Only environments that have both components are impacted, because the delete routine is exposed only when the Pro package is present.

Risk and Exploitability

The vulnerability is scored with a CVSS of 8.8, indicating high impact, but the EPSS score of less than 1 % suggests that it is seldom exploited in the wild. It is not listed in the CISA KEV catalogue. The attack path is simple: an unauthenticated user can craft a request that invokes the deleteOrdersFiles action, causing path traversal and deletion of arbitrary files. Successful exploitation could lead to loss of critical configuration data and subsequent execution of arbitrary code by the web server.

Generated by OpenCVE AI on April 21, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update both the free and Pro versions of Cost Calculator Builder to the latest releases that address the arbitrary file deletion flaw.
  • If an update cannot be applied, remove or disable the Pro add‑on that exposes the deleteOrdersFiles routine, or uninstall the plugin entirely until a validated fix is available.
  • Configure your web application firewall or use a security plugin to block requests that contain directory traversal or file‑deletion patterns, and regularly monitor your site’s file integrity for unexpected changes.

Generated by OpenCVE AI on April 21, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Dec 2025 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Stylemixthemes
Stylemixthemes cost Calculator Builder
Wordpress
Wordpress wordpress
Vendors & Products Stylemixthemes
Stylemixthemes cost Calculator Builder
Wordpress
Wordpress wordpress

Tue, 02 Dec 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and including, 3.6.3. This makes it possible for unauthenticated attackers to inject arbitrary file paths into the orders that are removed, when an administrator deletes them. This can lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability requires the Cost Calculator Builder Pro version to be installed along with the free version in order to be exploitable.
Title Cost Calculator Builder <= 3.6.3 - Unauthenticated Arbitrary File Deletion
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Stylemixthemes Cost Calculator Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:38.460Z

Reserved: 2025-10-30T17:54:27.730Z

Link: CVE-2025-12529

cve-icon Vulnrichment

Updated: 2025-12-02T16:51:43.520Z

cve-icon NVD

Status : Deferred

Published: 2025-12-02T03:16:15.657

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12529

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:00:11Z

Weaknesses