A high-severity vulnerability has been identified in the Cost Calculator Builder plugin for WordPress, which allows an attacker to delete arbitrary files from the web server. Successful exploitation could lead to a complete website outage, data loss, or a denial of service. Organizations using this plugin are urged to apply the recommended updates immediately to mitigate the significant risk to their web infrastructure.

The vulnerability exists within the deleteOrdersFiles() function of the Cost Calculator Builder plugin. The function fails to properly sanitize or validate the file path provided in a user request. An authenticated attacker, potentially with low-level privileges, can exploit this flaw by crafting a request with a path traversal payload (e.g., ../../../../wp-config.php) to target and delete critical files outside of the intended directory. Deleting core application files like wp-config.php or system files can render the entire website inoperable.

This vulnerability is rated as High severity with a CVSS score of 8.8, posing a significant threat to business operations. Exploitation can lead to a complete denial of service, requiring a full restoration from backups and causing extended downtime. The deletion of configuration files or user data could result in data loss, reputational damage, and loss of customer trust. The operational cost of incident response and recovery from such an attack can be substantial.

Immediate Action:

• Immediately update the Cost Calculator Builder plugin to a version greater than 3.
• If the plugin is not essential for business operations, consider deactivating and uninstalling it to remove the attack surface entirely.
• Verify that the update has been successfully applied across all relevant WordPress instances.

Proactive Monitoring:

• Implement File Integrity Monitoring (FIM) on the web server to detect and alert on unauthorized deletions or modifications of critical files (e.g., wp-config.php, .htaccess, core WordPress files).
• Review web server access logs for suspicious POST/GET requests targeting the plugin's endpoints, specifically looking for path traversal sequences (../, ..%2F) in the request parameters.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules designed to block path traversal attack patterns.
• Enforce strict file system permissions to ensure the web server's user account cannot delete files outside of its designated directories.
• Ensure that regular, automated, and verified backups of the entire WordPress site (files and database) are being performed and stored securely off-site.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the critical impact of a successful attack, it is imperative that organizations address this vulnerability with the highest priority. The potential for a complete denial of service represents a direct threat to business continuity. We strongly recommend applying the vendor-supplied patch immediately to all affected systems. Although this CVE is not currently listed on the CISA KEV catalog, its severity makes it a prime candidate for future inclusion, and it should be treated as an active and critical threat.