CVE-2024-6010: CWE-472 External Control of Assumed-Immutable Web Parameter in StylemixThemes Cost Calculator Builder PRO
The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.2.1. This is due to the plugin allowing the price field to be manipulated prior to processing via the 'create_cc_order' function, called from the Cost Calculator Builder plugin. This makes it possible for unauthenticated attackers to manipulate the price of orders submitted via the calculator. Note: this vulnerability was partially patched with the release of Cost Calculator Builder version 3.2.17.
AI Analysis
Technical Summary
The Cost Calculator Builder PRO plugin for WordPress contains a vulnerability (CWE-472) where external control of an assumed-immutable web parameter (the price field) allows unauthenticated attackers to manipulate order prices. This occurs because the 'create_cc_order' function processes the price field without adequate validation or protection against tampering. The vulnerability affects all versions up to and including 3.2.1. A partial patch was released in version 3.2.17, but the current patch status is not confirmed from the provided data.
Potential Impact
An attacker can manipulate the price of orders submitted through the calculator without authentication, potentially leading to unauthorized price reductions or financial loss. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
A partial patch was introduced in version 3.2.17 of the Cost Calculator Builder plugin. However, the full patch or remediation status is not confirmed. Users should upgrade to the latest plugin version available and monitor the vendor advisory for official fixes. Until a confirmed patch is available, consider restricting access to the calculator or implementing additional validation controls on order prices.
CVE-2024-6010: CWE-472 External Control of Assumed-Immutable Web Parameter in StylemixThemes Cost Calculator Builder PRO
Description
The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.2.1. This is due to the plugin allowing the price field to be manipulated prior to processing via the 'create_cc_order' function, called from the Cost Calculator Builder plugin. This makes it possible for unauthenticated attackers to manipulate the price of orders submitted via the calculator. Note: this vulnerability was partially patched with the release of Cost Calculator Builder version 3.2.17.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Cost Calculator Builder PRO plugin for WordPress contains a vulnerability (CWE-472) where external control of an assumed-immutable web parameter (the price field) allows unauthenticated attackers to manipulate order prices. This occurs because the 'create_cc_order' function processes the price field without adequate validation or protection against tampering. The vulnerability affects all versions up to and including 3.2.1. A partial patch was released in version 3.2.17, but the current patch status is not confirmed from the provided data.
Potential Impact
An attacker can manipulate the price of orders submitted through the calculator without authentication, potentially leading to unauthorized price reductions or financial loss. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
A partial patch was introduced in version 3.2.17 of the Cost Calculator Builder plugin. However, the full patch or remediation status is not confirmed. Users should upgrade to the latest plugin version available and monitor the vendor advisory for official fixes. Until a confirmed patch is available, consider restricting access to the calculator or implementing additional validation controls on order prices.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-06-14T16:33:02.308Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6bfab7ef31ef0b55d3ef
Added to database: 2/25/2026, 9:39:06 PM
Last enriched: 4/9/2026, 8:04:47 AM
Last updated: 4/12/2026, 7:58:56 AM
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.