The Cost Calculator Builder plugin for WordPress allows unauthenticated users to alter the prices of WooCommerce products before adding them to the cart. The flaw lies in the ccb_woocommerce_payment AJAX action, which is registered for public access via wp_ajax_nopriv and forwards user‑controlled data to the CCBWooCheckout class without any authorization checks. An attacker can therefore manipulate the amount charged to the customer, potentially causing monetary loss or order disputes. Although the vulnerability does not provide remote code execution, it represents a significant authorization bypass that jeopardizes the integrity of the e‑commerce checkout process.

The flaw affects the WordPress Cost Calculator Builder plugin—styled as Stylemix Cost Calculator Builder—versions up to and including 4.0.1, but only when the free plugin is used together with the Cost Calculator Builder PRO add‑on. Users that have installed either component should verify their plugin versions. The issue is specific to the WordPress environment and involves WooCommerce integration.

The CVSS score of 5.3 indicates a moderate severity level. EPSS data is not available, and it is not listed in CISA's KEV catalog, suggesting no current widespread exploitation, but the flaw remains publicly known. Attackers only need to send a crafted request to the wp_ajax endpoint, so the attack vector is web‑based and does not require privileged access. Without proper authorization checks, the vulnerability can be exploited by anyone on the internet, posing a direct threat to business revenue and customer trust.