WordPress Security Bulletin: Cost Calculator Builder Plugin Vulnerability (CVE-2025-14757)

On this page

Security Alert Summary

The Cost Calculator Builder plugin for WordPress contains an unauthenticated payment status bypass (CVE-2025-14757). When used with Cost Calculator Builder PRO, the plugin registers a complete_payment AJAX action via wp_ajax_nopriv and the complete() function only verifies a nonce that is exposed in the page source via window.ccb_nonces. As described in the CVE, this allows an unauthenticated attacker to mark orders as “completed” without making a payment.


CVE Details

  • CVE ID: CVE-2025-14757
  • Affected plugin/component: The Cost Calculator Builder plugin for WordPress
  • Affected versions: All versions up to, and including, 3.6.9 when used in combination with Cost Calculator Builder PRO (as stated in the CVE entry)
  • Published: January 16, 2026 at 9:15:59 AM
  • Last modified: January 16, 2026 at 3:55:12 PM
  • CVSS v3.1: Base Score 5.3, Severity MEDIUM, Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • Authentication / privileges / user interaction: Privileges Required: NONE; User Interaction: NONE; Attack Vector: NETWORK; Attack Complexity: LOW
  • Impact (CIA): Confidentiality: NONE; Integrity: LOW; Availability: NONE
  • Weakness (CWE): CWE-862

Technical Details

The vulnerability is an unauthenticated payment status bypass. The plugin registers the complete_payment AJAX action using wp_ajax_nopriv, which exposes that action to unauthenticated visitors. The implementation of the payment completion routine (the complete() function referenced in the CVE) only verifies a nonce and does not verify user capabilities or whether the requester owns the order being modified.

The CVE notes that nonces required by the routine are available to all visitors through the page source via window.ccb_nonces. Because nonces are accessible publicly and there are no ownership or capability checks, an unauthenticated attacker can invoke the exposed AJAX action to set an order’s payment status to “completed” without an actual payment being processed.


How This Could Impact Your Website

Consider a typical site with a site owner, internal staff handling orders, and external contractors or contributors who may assist with order processing. An unauthenticated attacker could mark orders as complete, causing staff to believe payment has been received and triggering fulfillment or provisioning of services and goods. This can lead to financial loss, unfulfilled reconciliation, and operational disruption when staff act on falsely completed orders.

Although the CVSS metrics indicate no confidentiality impact for this vulnerability, the integrity impact (orders marked completed without payment) can still create downstream business and operational risks, including incorrect fulfillment and billing disputes. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available (the CVE entry does not specify a fixed version).
  • Review and reduce unnecessary user roles, especially contributors and any accounts that do not require order-management capabilities.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and order logs for unusual behavior, such as orders marked completed without corresponding payment records.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References