Description
The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status.
Published: 2025-10-04
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized alteration of order status
Action: Immediate Upgrade
AI Analysis

Impact

The Cost Calculator Builder WordPress plugin contains a missing capability check on its get_cc_orders and update_order_status functions. This flaw allows any authenticated user with Subscriber‑level access or higher to read and change order data, letting an attacker modify the status of orders they do not own or should not manage. The impact is the unauthorized alteration of order information, which can disrupt customer workflows, financial processing, and inventory handling.

Affected Systems

The affected product is Stylemix Cost Calculator Builder. All released versions up to and including 3.5.32 are vulnerable. Organizations using any of these versions without upgrading face the described risk.

Risk and Exploitability

The CVSS score of 8.1 classifies the issue as high severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw requires only authenticated access at the Subscriber level, the risk remains significant for sites with many such users or where order management is critical.

Generated by OpenCVE AI on April 20, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cost Calculator Builder to version 3.5.33 or later, which includes proper capability checks for order functions.
  • Revoke or reduce Subscriber‑level access for users who do not require order management; configure role capabilities so that only Administrators can call get_cc_orders and update_order_status.
  • If an immediate upgrade is not feasible, deploy a temporary code patch or use a role‑management plugin to block or disable the plugin’s order‑management endpoints for all users except Administrators.

Generated by OpenCVE AI on April 20, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32422 The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 06 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Stylemixthemes
Stylemixthemes cost Calculator Builder
Wordpress
Wordpress wordpress
Vendors & Products Stylemixthemes
Stylemixthemes cost Calculator Builder
Wordpress
Wordpress wordpress

Sat, 04 Oct 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status.
Title Cost Calculator Builder <= 3.5.32 - Authenticated (Subscriber+) Missing Authorization via get_cc_orders/update_order_status Functions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Stylemixthemes Cost Calculator Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:22.077Z

Reserved: 2025-08-20T11:13:03.674Z

Link: CVE-2025-9243

cve-icon Vulnrichment

Updated: 2025-10-06T14:14:55.771Z

cve-icon NVD

Status : Deferred

Published: 2025-10-04T03:15:38.613

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses