The vulnerability identified as CVE-2025-9243 affects the Cost Calculator Builder plugin for WordPress, developed by stylemix. It is classified under CWE-862, indicating a missing authorization issue. Specifically, the plugin fails to perform proper capability checks on the functions get_cc_orders and update_order_status across all versions up to and including 3.5.32. These functions are responsible for retrieving order data and updating order statuses respectively. Due to this missing authorization, any authenticated user with at least Subscriber-level access can invoke these functions to access sensitive order information and modify order statuses without the necessary permissions. The vulnerability is exploitable remotely over the network without requiring user interaction, increasing its risk profile. The CVSS v3.1 base score is 8.1, reflecting high severity with the vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. This means the attack can be launched remotely with low attack complexity, requires low privileges (authenticated user), no user interaction, and impacts confidentiality and integrity significantly, but not availability. No patches or fixes have been linked yet, and no known exploits are reported in the wild as of the published date. The vulnerability exposes WordPress sites using this plugin to unauthorized data access and manipulation, potentially leading to fraudulent order processing or data leakage. The issue is critical for e-commerce and service sites relying on accurate order management. Detection and mitigation currently rely on monitoring user roles and restricting access until an official patch is released.

For European organizations, this vulnerability poses a significant risk to the integrity and confidentiality of order data on WordPress sites using the Cost Calculator Builder plugin. Unauthorized modification of order statuses can lead to fraudulent transactions, financial loss, and reputational damage. Organizations in sectors such as retail, services, and e-commerce are particularly vulnerable, as order data integrity is crucial for business operations. The breach of confidentiality may also expose sensitive customer information, potentially violating GDPR regulations and resulting in legal penalties. The ease of exploitation by low-privilege authenticated users increases the threat surface, especially for sites that allow user registrations with Subscriber-level access. This vulnerability could be leveraged in targeted attacks or automated campaigns to manipulate orders or disrupt business processes. The absence of known exploits currently provides a window for proactive mitigation, but the high CVSS score underscores the urgency of addressing this issue to prevent future exploitation.

1. Immediately audit and restrict user roles on affected WordPress sites, ensuring that only trusted users have Subscriber-level or higher access. 2. Implement strict monitoring and logging of order-related activities, focusing on changes to order statuses and access to order data. 3. Temporarily disable or uninstall the Cost Calculator Builder plugin if order management is critical and no patch is available. 4. Apply principle of least privilege for user accounts, removing unnecessary permissions and disabling user registrations if not required. 5. Use Web Application Firewalls (WAF) with custom rules to detect and block suspicious requests targeting the vulnerable functions. 6. Regularly check for and apply updates or patches from stylemix as soon as they are released. 7. Educate site administrators and developers about this vulnerability to ensure rapid response and remediation. 8. Consider implementing multi-factor authentication (MFA) for all authenticated users to reduce risk of compromised accounts. 9. Review and harden WordPress security configurations, including disabling REST API endpoints if not needed or restricting access. 10. Conduct penetration testing focused on authorization controls to identify similar weaknesses in other plugins or custom code.