cleantalk
Vulnerabilities and Security Researches

Cost Calculator Builder, CVE-2025-12529

CVE, Research URL

CVE-2025-12529

Home page URL

Security reports for Cost Calculator Builder

Application

Cost Calculator Builder

Published on
Dec 02, 2025
Research Description
The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and including, 3.6.3. This makes it possible for unauthenticated attackers to inject arbitrary file paths into the orders that are removed, when an administrator deletes them. This can lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability requires the Cost Calculator Builder Pro version to be installed along with the free version in order to be exploitable.
Affected versions
max 3.6.4.
Status
vulnerable
Previous vulnerability researches
Cost Calculator Builder (CVE-2024-6010) , Sep 08, 2024
Cost Calculator Builder (CVE-2023-40011) , Jun 10, 2024
Cost Calculator Builder (CVE-2025-9243) , Nov 11, 2025
Cost Calculator Builder (CVE-2024-8379) , Oct 01, 2024
Cost Calculator Builder (CVE-2024-6011) , Jul 04, 2024
New vulnerability
GitHub Gist Shortcode Plugin (CVE-2025-12667) , Dec 12, 2025
Cryptocurrency Payment Gateway for WooCommerce (CVE-2025-12392) , Dec 12, 2025
Wbcom Designs – Private Community for BuddyPress (CVE-2025-67582) , Dec 12, 2025
WP-Walla (CVE-2025-12589) , Dec 12, 2025
Master Addons for Elementor (CVE-2025-63055) , Dec 12, 2025