CVE-2025-12529 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting the Cost Calculator Builder WordPress plugin by stylemix. The flaw resides in the deleteOrdersFiles() function, which insufficiently validates file paths when deleting order-related files. This allows unauthenticated attackers to inject arbitrary file paths into the deletion process triggered by an administrator's action. Since the deletion is performed with administrative privileges, attackers can cause deletion of critical files such as wp-config.php, which can lead to remote code execution by destabilizing or manipulating the WordPress environment. The vulnerability requires both the free and Pro versions of the plugin to be installed, limiting the attack surface but still posing a significant risk. The CVSS 3.1 score of 8.8 reflects the vulnerability's network attack vector, no privileges required, low attack complexity, user interaction needed (administrator deleting orders), and high impact on confidentiality, integrity, and availability. Although no public exploits are known yet, the potential for severe damage is high, especially in environments where the plugin is actively used for order management. The vulnerability affects all versions up to and including 3.6.3, and no official patches or updates are currently linked, indicating a need for vendor action or temporary mitigations.

For European organizations, this vulnerability poses a significant risk particularly to those running WordPress sites with the Cost Calculator Builder plugin installed, commonly used in e-commerce, service quoting, and cost estimation contexts. Successful exploitation can lead to deletion of critical WordPress files, causing site downtime, data loss, and potential remote code execution, which could compromise the entire web server and connected systems. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance under GDPR if personal data is affected. The unauthenticated nature of the attack increases risk, as attackers do not need credentials, only the presence of the vulnerable plugin and the Pro version. The requirement for administrator interaction (deleting orders) means social engineering or insider threats could facilitate exploitation. The impact on availability and integrity is particularly concerning for organizations relying on continuous online presence and accurate cost calculations for customer trust and revenue.

1. Immediately audit all WordPress installations for the presence of both the free and Pro versions of the Cost Calculator Builder plugin. 2. Disable or uninstall the plugin if it is not essential or if the Pro version is not in use. 3. Restrict administrator roles and ensure only trusted personnel can delete order files to reduce risk of exploitation via user interaction. 4. Monitor file system activity for unusual deletions, especially of critical WordPress files like wp-config.php. 5. Implement file integrity monitoring solutions to detect unauthorized changes or deletions. 6. Apply web application firewall (WAF) rules to detect and block suspicious requests targeting the plugin’s deletion functionality. 7. Follow stylemix vendor updates closely and apply patches immediately once released. 8. Consider isolating WordPress environments or using containerization to limit impact of potential compromise. 9. Educate administrators about the risk of deleting order files and encourage caution. 10. Backup WordPress sites and databases regularly to enable rapid recovery from file deletion attacks.