CVE-2025-14757

Published Jan 16, 2026

Last updated 3 months ago

CVSS medium 5.3

Overview

Description
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via window.ccb_nonces in the page source, any unauthenticated attacker can mark any order's payment status as "completed" without actual payment.
Source
security@wordfence.com
NVD status
Analyzed
Products
cost_calculator_builder

Risk scores

CVSS 3.1

Type
Primary
Base score
5.3
Impact score
1.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Severity
MEDIUM

Weaknesses

security@wordfence.com
CWE-862

Social media

Hype score
Not currently trending

  1. CVE-2025-14757 The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in … https://t.co/87fsOkVWls

    @CVEnew

    16 Jan 2026

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. The Cost Calculator Builder WordPress plugin before 3.2.43 does not have CSRF checks in some AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.CVE-2024-10892
  2. The Cost Calculator Builder WordPress plugin before 3.2.29 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.CVE-2024-8379
  3. The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.2.1. This is due to the plugin allowing the price field to be manipulated prior to processing via the 'create_cc_order' function, called from the Cost Calculator Builder plugin. This makes it possible for unauthenticated attackers to manipulate the price of orders submitted via the calculator. Note: this vulnerability was partially patched with the release of Cost Calculator Builder version 3.2.17.CVE-2024-6010
  4. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Cost Calculator Builder allows SQL Injection.This issue affects Cost Calculator Builder: from n/a through 3.2.15.CVE-2024-43144
  5. The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'embed-create-page' and 'embed-insert-pages' functions in all versions up to, and including, 3.2.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary posts and append arbitrary content to existing posts.CVE-2024-6012

References

Sources include official advisories and independent security research.