CVE-2025-9243 identifies a critical authorization bypass vulnerability in the Cost Calculator Builder WordPress plugin developed by stylemix. The vulnerability arises from missing capability checks in two key functions: get_cc_orders and update_order_status. These functions manage order retrieval and status updates, respectively. Because the plugin fails to verify whether the authenticated user has sufficient privileges before allowing these operations, any user with Subscriber-level access or above can exploit this flaw. This means that even low-privileged users can access and modify order data, including changing order statuses, which should normally be restricted to administrators or shop managers. The vulnerability affects all versions up to and including 3.5.32. The CVSS 3.1 base score is 8.1, indicating a high severity due to network attack vector (remote exploitation over the network), low attack complexity, and no user interaction required. The impact on confidentiality and integrity is high because unauthorized users can view and alter sensitive order information. Availability impact is rated none as the vulnerability does not directly cause denial of service. No patches are currently linked, and no exploits have been reported in the wild as of the publication date. The vulnerability was reserved on August 20, 2025, and published on October 4, 2025. The CWE classification is CWE-862, which corresponds to missing authorization. This vulnerability poses a significant risk to WordPress sites using this plugin, especially those handling e-commerce transactions or sensitive order data.

The primary impact of CVE-2025-9243 is unauthorized access and modification of order data within affected WordPress sites using the Cost Calculator Builder plugin. Attackers with minimal privileges (Subscriber-level) can escalate their influence by manipulating order statuses, potentially causing financial discrepancies, fraudulent order processing, or disruption of legitimate business workflows. This can lead to loss of customer trust, financial loss, and reputational damage for organizations relying on this plugin for cost calculation and order management. Since the vulnerability allows modification without administrative privileges, insider threats or compromised low-privilege accounts become more dangerous. The integrity and confidentiality of order data are severely compromised, which may also affect compliance with data protection regulations. Although availability is not directly impacted, the downstream effects of corrupted order data can disrupt business operations. Organizations worldwide that use WordPress with this plugin in e-commerce or service quoting contexts are at risk, especially those with large customer bases or high transaction volumes.

To mitigate CVE-2025-9243, organizations should immediately verify if they are using the Cost Calculator Builder plugin version 3.5.32 or earlier and prioritize upgrading to a patched version once available. In the absence of an official patch, administrators should implement manual access controls by restricting Subscriber-level users from accessing order management functions, possibly through custom role modifications or capability restrictions using WordPress role management plugins. Monitoring and logging access to order-related functions can help detect unauthorized attempts. Additionally, consider temporarily disabling the plugin if it is not critical to business operations until a fix is released. Regularly audit user roles and permissions to ensure minimal privilege principles are enforced. Applying web application firewalls (WAFs) with custom rules to block suspicious requests targeting the vulnerable endpoints may reduce exploitation risk. Finally, educate users and administrators about the vulnerability and encourage prompt response to any suspicious activity related to order management.