CVE-2025-14757 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Cost Calculator Builder WordPress plugin up to version 3.6.9 when combined with the Cost Calculator Builder PRO plugin. The root cause is that the AJAX action 'complete_payment' is registered via wp_ajax_nopriv, allowing unauthenticated users to invoke it. The complete() function responsible for marking payments as complete only checks a nonce for validation. However, this nonce is exposed to all visitors through the JavaScript variable window.ccb_nonces in the page source, making it trivial for attackers to obtain. Critically, the function does not verify whether the user has the appropriate capabilities or owns the order in question. As a result, an unauthenticated attacker can arbitrarily mark any order's payment status as 'completed' without making a legitimate payment. This flaw compromises the integrity of the payment process, enabling fraudulent order completion. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity), reflecting its network attack vector, low attack complexity, no privileges required, and no user interaction needed. While no public exploits are known, the ease of exploitation and the exposure of nonces make this a significant risk for affected sites. The lack of patch links indicates that a fix may not yet be available, necessitating immediate mitigation steps.

The primary impact of CVE-2025-14757 is on the integrity of payment processing within affected WordPress sites using the Cost Calculator Builder and its PRO version. Attackers can fraudulently mark orders as paid without actual payment, potentially leading to financial losses, revenue leakage, and undermining trust in the e-commerce platform. This can also disrupt business operations by allowing unauthorized access to goods or services. Although confidentiality and availability are not directly affected, the integrity breach can have cascading effects, including accounting discrepancies and customer disputes. Organizations relying on this plugin for payment calculations and order management are at risk of fraud and reputational damage. The vulnerability's ease of exploitation and unauthenticated access increase the likelihood of attacks, especially on sites with high transaction volumes or valuable products. Without timely mitigation, attackers could automate fraudulent transactions at scale.

To mitigate CVE-2025-14757, organizations should first check for and apply any official patches or updates from the vendor once available. In the absence of a patch, immediate steps include disabling the Cost Calculator Builder PRO plugin or the vulnerable AJAX action if possible. Implementing server-side access controls to restrict the wp_ajax_nopriv complete_payment action to authenticated and authorized users is critical. Developers can modify the plugin code to add robust authorization checks verifying user capabilities and order ownership before marking payments as complete. Additionally, nonces should not be exposed publicly; ensure they are generated and validated securely. Monitoring logs for suspicious AJAX requests related to payment completion can help detect exploitation attempts. Organizations should also consider deploying Web Application Firewalls (WAFs) with custom rules to block unauthorized access to the vulnerable endpoint. Finally, educating site administrators about the risk and encouraging regular security audits of plugins can prevent similar issues.