{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9243", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-20T11:13:03.674Z", "datePublished": "2025-10-04T02:24:36.330Z", "dateUpdated": "2026-04-08T17:14:22.077Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:22.077Z"}, "affected": [{"vendor": "stylemix", "product": "Cost Calculator Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.32", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status."}], "title": "Cost Calculator Builder <= 3.5.32 - Authenticated (Subscriber+) Missing Authorization via get_cc_orders/update_order_status Functions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa46bdb3-6bbe-4f2f-8e1a-fbb54c5b39fd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3371684/cost-calculator-builder#file388"}, {"url": "https://plugins.trac.wordpress.org/changeset/3371684/cost-calculator-builder#file389"}, {"url": "https://research.cleantalk.org/cve-2025-9243/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-08-11T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-09-19T17:13:43.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-03T14:11:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-06T14:14:51.119486Z", "id": "CVE-2025-9243", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-06T14:16:47.715Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9243", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-06T14:14:51.119486Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-06T14:14:55.771Z"}}], "cna": {"title": "Cost Calculator Builder <= 3.5.32 - Authenticated (Subscriber+) Missing Authorization via get_cc_orders/update_order_status Functions", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}}], "affected": [{"vendor": "stylemix", "product": "Cost Calculator Builder", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.5.32"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-11T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-09-19T17:13:43.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-03T14:11:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa46bdb3-6bbe-4f2f-8e1a-fbb54c5b39fd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3371684/cost-calculator-builder#file388"}, {"url": "https://plugins.trac.wordpress.org/changeset/3371684/cost-calculator-builder#file389"}], "descriptions": [{"lang": "en", "value": "The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-04T02:24:36.330Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9243", "state": "PUBLISHED", "dateUpdated": "2025-10-06T14:16:47.715Z", "dateReserved": "2025-08-20T11:13:03.674Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-04T02:24:36.330Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status."}], "id": "CVE-2025-9243", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-04T03:15:38.613", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3371684/cost-calculator-builder#file388"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3371684/cost-calculator-builder#file389"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-9243/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa46bdb3-6bbe-4f2f-8e1a-fbb54c5b39fd?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:20:15.785923+00:00", "value": {"mitigation_remediation": ["Upgrade Cost Calculator Builder to version\u00a03.5.33 or later, which includes proper capability checks for order functions.", "Revoke or reduce Subscriber\u2011level access for users who do not require order management; configure role capabilities so that only Administrators can call get_cc_orders and update_order_status.", "If an immediate upgrade is not feasible, deploy a temporary code patch or use a role\u2011management plugin to block or disable the plugin\u2019s order\u2011management endpoints for all users except Administrators."], "summary": {"action": "Immediate Upgrade", "impact": "Unauthorized alteration of order status"}, "threat_synthesis": {"affected_systems": "The affected product is Stylemix Cost Calculator Builder. All released versions up to and including 3.5.32 are vulnerable. Organizations using any of these versions without upgrading face the described risk.", "description_and_impact": "The Cost Calculator Builder WordPress plugin contains a missing capability check on its get_cc_orders and update_order_status functions. This flaw allows any authenticated user with Subscriber\u2011level access or higher to read and change order data, letting an attacker modify the status of orders they do not own or should not manage. The impact is the unauthorized alteration of order information, which can disrupt customer workflows, financial processing, and inventory handling.", "risk_and_exploitability": "The CVSS score of 8.1 classifies the issue as high severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw requires only authenticated access at the Subscriber level, the risk remains significant for sites with many such users or where order management is critical."}}}}, "created": "2025-10-06T14:42:02.842838+00:00", "updated": "2026-04-20T19:30:06.160789+00:00", "vendors": ["stylemixthemes", "stylemixthemes$PRODUCT$cost_calculator_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}