CVE-2025-14757 is a vulnerability identified in the Cost Calculator Builder WordPress plugin, specifically when used alongside its PRO version, affecting all versions up to and including 3.6.9. The root cause lies in the registration of the complete_payment AJAX action via wp_ajax_nopriv, which allows unauthenticated users to invoke this action. The associated complete() function only validates a nonce, which is publicly exposed in the page source through the JavaScript variable window.ccb_nonces, but does not verify user capabilities or confirm that the order belongs to the requester. This missing authorization (CWE-862) enables any unauthenticated attacker to mark any order's payment status as "completed" without making an actual payment. The vulnerability does not impact confidentiality or availability but compromises the integrity of payment status data, potentially leading to fraudulent order fulfillment and financial loss. The CVSS 3.1 base score is 5.3 (medium), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity. No public exploits have been reported yet, but the vulnerability is straightforward to exploit due to nonce exposure and lack of access control. This flaw is critical for e-commerce sites relying on this plugin for payment processing, as it undermines trust and financial security.

For European organizations operating e-commerce platforms using the Cost Calculator Builder plugin with the PRO version, this vulnerability can lead to unauthorized manipulation of payment statuses, allowing attackers to fraudulently mark orders as paid. This can result in financial losses due to unfulfilled orders, chargebacks, and reputational damage. The integrity of transaction records is compromised, potentially affecting accounting and compliance processes. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale by automated attacks, increasing risk exposure. Organizations may also face legal and regulatory consequences under European data protection and consumer protection laws if fraudulent transactions occur. The disruption to business operations and customer trust can be significant, especially for SMEs relying heavily on WordPress-based e-commerce solutions.

1. Immediately update the Cost Calculator Builder plugin and its PRO version to a patched release once available from the vendor. 2. Until a patch is released, implement server-side access controls to restrict the complete_payment AJAX action to authenticated users only, for example by modifying the plugin code or using WordPress hooks to remove the wp_ajax_nopriv registration. 3. Enhance the complete() function to verify that the user initiating the payment completion owns the order or has appropriate permissions. 4. Remove or obfuscate the exposure of nonces in client-side JavaScript to prevent attackers from easily obtaining them. 5. Monitor order payment status changes for anomalies, such as sudden completions without corresponding payment gateway confirmations. 6. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting the vulnerable endpoint. 7. Educate site administrators on the risks and encourage regular plugin updates and security audits. 8. Consider alternative payment verification mechanisms that rely on server-to-server confirmations from payment gateways rather than client-side triggers.