216.73.216.233

CVE-2025-14755

· Published 13/05/2026 05:16 · Modified 13/05/2026 14:43

Labels: CVE-2025-14755 2026-05-13CVE-2025-14755CWE-862[email protected]

Essential information

Published
13/05/2026 05:16
Modified
13/05/2026 14:43
Author
Creator
CVSS
5.3 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS metrics

Description

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR) in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccb_woocommerce_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the renderWooCommercePayment() function passing user-controlled data directly to CCBWooCheckout::init() without authorization checks. This makes it possible for unauthenticated attackers to add WooCommerce products to their cart with attacker-controlled prices.

NVD status

Status
Deferred — When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
wordpress / cost calculator builder cpe:2.3:a:wordpress:cost_calculator_builder:*:*:*:*:*:wordpress:*:*
wordpress / cost calculator builder pro cpe:2.3:a:wordpress:cost_calculator_builder_pro:*:*:*:*:*:wordpress:*:*

References