CVE-2025-12529 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the Cost Calculator Builder plugin for WordPress, developed by stylemix. The flaw exists in the deleteOrdersFiles() function, which inadequately validates file paths when deleting order-related files. This improper validation allows an unauthenticated attacker to inject arbitrary file paths into the deletion process triggered by an administrator's action. When the administrator deletes orders, the plugin may delete files outside the intended scope, including critical WordPress files such as wp-config.php. Deleting such files can lead to remote code execution, as attackers can manipulate the environment or cause denial of service by removing essential files. Exploitation requires that both the free and Pro versions of the plugin be installed, limiting the attack surface somewhat. The vulnerability affects all versions up to and including 3.6.3. The CVSS 3.1 base score is 8.8, indicating a high-severity issue with network attack vector, low attack complexity, no privileges required, but user interaction (administrator deleting orders) is necessary. No patches or exploit code are currently publicly available, but the risk is significant given the potential for remote code execution and full site compromise.

The impact of CVE-2025-12529 is substantial for organizations using the affected plugin. Successful exploitation can lead to arbitrary file deletion, including critical WordPress configuration files, resulting in remote code execution or complete site compromise. This threatens confidentiality by potentially exposing sensitive data, integrity by allowing attackers to alter or delete files, and availability by causing site outages or denial of service. Since the attack requires an administrator to perform deletion actions, the risk is elevated in environments where administrators may be tricked or where automated processes delete orders. The vulnerability could be leveraged by attackers to gain persistent control over WordPress sites, leading to data breaches, defacement, or use of the site as a launchpad for further attacks. Given WordPress's widespread use globally, especially in e-commerce and business websites, the threat could affect a large number of organizations, causing reputational damage and financial losses.

1. Immediately update the Cost Calculator Builder plugin to a patched version once released by stylemix. 2. Until a patch is available, disable or restrict access to the order deletion functionality to trusted administrators only. 3. Implement strict file system permissions on the WordPress installation to prevent unauthorized file deletions, especially protecting critical files like wp-config.php. 4. Employ web application firewalls (WAFs) with rules to detect and block suspicious file path manipulation attempts targeting the plugin's endpoints. 5. Monitor logs for unusual deletion requests or patterns indicating exploitation attempts. 6. Educate administrators about the risk of deleting orders without verifying the source or context. 7. Consider isolating the WordPress environment or using containerization to limit the impact of potential file deletions. 8. Regularly back up WordPress files and databases to enable quick recovery from destructive attacks.