CVE-2025-9243 is a high-severity vulnerability affecting the Cost Calculator Builder plugin for WordPress, developed by stylemix. The vulnerability arises from a missing authorization check (CWE-862) in the plugin's get_cc_orders and update_order_status functions. Specifically, these functions lack proper capability verification, allowing authenticated users with Subscriber-level access or higher to manipulate order management features. This means that even low-privileged users can access and modify order statuses, potentially altering transaction records or disrupting business operations. The vulnerability affects all versions up to and including 3.5.32. The CVSS 3.1 base score is 8.1, reflecting high impact on confidentiality and integrity, with no user interaction required and low attack complexity. The attack vector is network-based, requiring only authenticated access, which is commonly available to registered users on WordPress sites. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin's role in managing commercial transactions. Exploitation could lead to fraudulent order manipulation, financial discrepancies, and loss of trust in e-commerce platforms using this plugin.

For European organizations, especially those operating e-commerce websites or service platforms using WordPress with the Cost Calculator Builder plugin, this vulnerability could lead to unauthorized modification of order data. This compromises the integrity of financial transactions, potentially enabling fraudulent activities such as unauthorized order status changes (e.g., marking unpaid orders as paid or vice versa). The breach of data integrity can result in financial losses, regulatory non-compliance (e.g., GDPR implications if customer data is indirectly affected), and reputational damage. Since the vulnerability allows low-privileged users to escalate their influence over order management, insider threats or compromised subscriber accounts could be leveraged by attackers. This risk is heightened in sectors with high transaction volumes or sensitive financial operations, such as retail, travel, and digital services. Additionally, disruption in order processing could impact business continuity and customer satisfaction.

European organizations should immediately audit their WordPress installations to identify the presence of the Cost Calculator Builder plugin and verify its version. Since no official patch links are provided, organizations should monitor the vendor’s announcements for updates or patches addressing CVE-2025-9243. In the interim, restrict user roles and permissions rigorously, ensuring that Subscriber-level accounts are limited and monitored. Implement additional access controls such as web application firewalls (WAFs) to detect and block unauthorized attempts to invoke the vulnerable functions. Employ logging and alerting mechanisms to monitor order status changes for suspicious activity. Consider disabling or removing the plugin if it is not essential. For organizations with development resources, reviewing and patching the plugin code to add proper capability checks on the affected functions can serve as a temporary fix. Regularly update WordPress core and all plugins to minimize exposure to known vulnerabilities. Finally, conduct user awareness training to reduce risks from compromised accounts.