CVE-2024-6010 is a vulnerability classified under CWE-472 (External Control of Assumed-Immutable Web Parameter) found in the Cost Calculator Builder PRO plugin for WordPress developed by StylemixThemes. The flaw exists in all versions up to and including 3.2.1, where the plugin's 'create_cc_order' function fails to properly validate the price field submitted via the cost calculator interface. This improper validation allows unauthenticated attackers to externally manipulate the price parameter before it is processed, effectively enabling them to submit orders with arbitrary prices. The vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. The partial patch released in version 3.2.17 addresses some aspects of the issue, but earlier versions remain vulnerable. The CVSS 3.1 base score of 5.3 reflects a medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact affects integrity (I:L) but not confidentiality or availability. This vulnerability can be leveraged to conduct price manipulation attacks, potentially leading to financial losses and undermining trust in affected e-commerce or service platforms using this plugin.

The primary impact of CVE-2024-6010 is the integrity compromise of order pricing in websites using the Cost Calculator Builder PRO plugin. Attackers can submit orders with manipulated prices, potentially paying less than intended or bypassing pricing rules. This can lead to direct financial losses for businesses relying on the plugin for price calculations, especially in e-commerce, service quoting, or booking platforms. The vulnerability does not affect confidentiality or availability, so data breaches or denial of service are not immediate concerns. However, repeated exploitation could result in significant revenue loss, customer trust erosion, and reputational damage. Organizations may also face challenges in transaction reconciliation and fraud detection. Since the vulnerability is exploitable without authentication or user interaction, the attack surface is broad, increasing the likelihood of exploitation if unpatched. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often reverse-engineer patches to develop exploits.

To mitigate CVE-2024-6010, organizations should immediately update the Cost Calculator Builder PRO plugin to version 3.2.17 or later, where partial patches have been applied. Given the partial nature of the patch, it is advisable to monitor vendor communications for further updates or full fixes. Additionally, implement server-side validation of all price-related input parameters to ensure they conform to expected ranges and formats before processing orders. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests manipulating price fields. Enable detailed logging and monitoring of order submissions to identify anomalous pricing patterns indicative of exploitation attempts. Consider restricting access to the calculator endpoints via IP whitelisting or CAPTCHA challenges to reduce automated abuse. Conduct regular security audits and penetration testing focused on input validation and business logic flaws in e-commerce workflows. Finally, educate development teams on secure coding practices to prevent similar vulnerabilities in future plugin customizations or integrations.