A high-severity vulnerability has been identified in the Cost Calculator Builder plugin for WordPress. This flaw allows unauthorized users to view and modify order data, such as changing an order's status, due to missing security checks. Successful exploitation could lead to operational disruption, financial loss, and damage to customer trust.

The vulnerability exists because the get_cc_orders and update_order_status functions within the plugin fail to perform a capability check. This means the functions do not verify if the user making a request has the appropriate permissions (e.g., administrator) to perform the requested action. An authenticated attacker with low-level privileges, such as a subscriber, can craft a direct request to these functions to either retrieve sensitive order information or arbitrarily change the status of any order in the system.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could have a significant business impact, including direct financial loss by marking paid orders as refunded or unpaid orders as complete. It can also cause severe operational disruption by altering order fulfillment workflows, leading to customer dissatisfaction and reputational damage. The ability to view all order data also introduces a risk of customer information exposure, potentially leading to privacy violations.

Immediate Action: Immediately identify all WordPress sites using the Cost Calculator Builder plugin and update it to the latest version provided by the developer, which contains the necessary security patch. If the plugin is not essential for business operations, the most secure course of action is to deactivate and remove it completely.

Proactive Monitoring: Monitor web server and application logs for suspicious POST/GET requests targeting the application's order management endpoints, specifically from users with non-administrative roles. Set up alerts for an unusual volume of order status changes or modifications originating from unexpected user accounts or IP addresses.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) rule to block or restrict access to the vulnerable functions for all users except for trusted administrators. Additionally, consider temporarily disabling user registration or restricting the capabilities of low-privileged roles to reduce the attack surface.

Public Exploit Available: false

Given the high CVSS score and the direct potential for financial and operational impact, it is strongly recommended that organizations prioritize the immediate patching of this vulnerability. Although there is no evidence of active exploitation, the simplicity of the flaw means that an exploit could be developed easily. All instances of the Cost Calculator Builder plugin version 3.0 and below should be updated without delay to prevent potential abuse.