CVE-2025-14755: CWE-862 Missing Authorization in stylemix Cost Calculator Builder
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR) in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccb_woocommerce_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the renderWooCommercePayment() function passing user-controlled data directly to CCBWooCheckout::init() without authorization checks. This makes it possible for unauthenticated attackers to add WooCommerce products to their cart with attacker-controlled prices.
AI Analysis
Technical Summary
CVE-2025-14755 affects the Cost Calculator Builder WordPress plugin up to version 4.0.1 when combined with Cost Calculator Builder PRO. The vulnerability arises because the ccb_woocommerce_payment AJAX action is registered via wp_ajax_nopriv, allowing unauthenticated access. The renderWooCommercePayment() function passes user-controlled data directly to CCBWooCheckout::init() without verifying authorization. This flaw enables unauthenticated attackers to add WooCommerce products to the cart with manipulated prices, constituting an insecure direct object reference and price manipulation issue.
Potential Impact
An unauthenticated attacker can manipulate the prices of WooCommerce products added to the cart, potentially leading to financial loss or fraudulent transactions. The vulnerability does not impact confidentiality or availability but affects the integrity of pricing information. The CVSS score is 5.3 (medium severity), reflecting the network attack vector, no privileges required, and no user interaction needed.
Mitigation Recommendations
No official patch or remediation guidance is currently available from the vendor. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, users should consider disabling the Cost Calculator Builder PRO plugin or restricting access to the affected AJAX action if possible. Monitor vendor communications for updates and apply patches promptly once available.
CVE-2025-14755: CWE-862 Missing Authorization in stylemix Cost Calculator Builder
Description
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR) in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccb_woocommerce_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the renderWooCommercePayment() function passing user-controlled data directly to CCBWooCheckout::init() without authorization checks. This makes it possible for unauthenticated attackers to add WooCommerce products to their cart with attacker-controlled prices.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-14755 affects the Cost Calculator Builder WordPress plugin up to version 4.0.1 when combined with Cost Calculator Builder PRO. The vulnerability arises because the ccb_woocommerce_payment AJAX action is registered via wp_ajax_nopriv, allowing unauthenticated access. The renderWooCommercePayment() function passes user-controlled data directly to CCBWooCheckout::init() without verifying authorization. This flaw enables unauthenticated attackers to add WooCommerce products to the cart with manipulated prices, constituting an insecure direct object reference and price manipulation issue.
Potential Impact
An unauthenticated attacker can manipulate the prices of WooCommerce products added to the cart, potentially leading to financial loss or fraudulent transactions. The vulnerability does not impact confidentiality or availability but affects the integrity of pricing information. The CVSS score is 5.3 (medium severity), reflecting the network attack vector, no privileges required, and no user interaction needed.
Mitigation Recommendations
No official patch or remediation guidance is currently available from the vendor. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, users should consider disabling the Cost Calculator Builder PRO plugin or restricting access to the affected AJAX action if possible. Monitor vendor communications for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-15T21:02:42.851Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a040355cbff5d86105c5631
Added to database: 5/13/2026, 4:51:33 AM
Last enriched: 5/13/2026, 5:07:09 AM
Last updated: 5/14/2026, 6:45:12 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.