CVE-2025-12529 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the Cost Calculator Builder plugin for WordPress, developed by stylemix. The flaw exists in the deleteOrdersFiles() function, which is responsible for deleting order-related files. Due to insufficient validation of file paths, an unauthenticated attacker can inject arbitrary file paths into the orders that get deleted when an administrator performs deletion actions. This injection enables attackers to delete arbitrary files on the server, including critical WordPress configuration files such as wp-config.php. The deletion of such files can lead to remote code execution, as attackers may manipulate or remove files essential for the site's security and operation. Exploitation requires that both the free and Pro versions of the Cost Calculator Builder plugin are installed, which is a precondition for the vulnerability to be triggered. The vulnerability affects all versions up to and including 3.6.3. The CVSS v3.1 score is 8.8 (high severity), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction (administrator deleting orders). The impact spans confidentiality, integrity, and availability, as arbitrary file deletion can compromise sensitive data, alter site behavior, and cause denial of service. As of the publication date, no known exploits have been observed in the wild. However, the potential for remote code execution makes this a critical concern for WordPress sites using this plugin, especially those with administrative users who manage orders regularly.

For European organizations, this vulnerability poses significant risks, particularly for businesses relying on WordPress sites with the Cost Calculator Builder plugin installed. The ability for unauthenticated attackers to delete arbitrary files can lead to site downtime, data breaches, and full system compromise through remote code execution. This can disrupt e-commerce operations, damage brand reputation, and result in financial losses. Organizations handling sensitive customer data or regulated information may face compliance violations under GDPR if breaches occur. The attack does not require authentication, increasing the attack surface and risk. Since the vulnerability requires the Pro version alongside the free plugin, organizations using both are at higher risk. The impact is amplified in sectors with high reliance on online calculators for pricing or service quotes, such as finance, insurance, and retail. Recovery from such attacks may require restoring backups and conducting forensic investigations, increasing operational costs.

Immediate mitigation steps include disabling or uninstalling the Cost Calculator Builder Pro plugin until a security patch is released. Administrators should avoid deleting orders via the plugin's interface if possible. Monitor file system changes, especially deletions of critical files like wp-config.php, and maintain regular, secure backups to enable rapid recovery. Implement strict file permissions on the WordPress installation to limit the plugin's ability to delete sensitive files. Employ web application firewalls (WAFs) with rules to detect and block suspicious requests targeting the plugin's endpoints. Keep WordPress core and all plugins updated, and subscribe to vendor security advisories for timely patch information. Conduct security audits focusing on file path validation and access controls. Educate administrators about the risks of deleting orders during the vulnerability window. Finally, consider isolating critical WordPress instances or using containerization to limit the blast radius of potential exploits.