CVE-2024-6010: 
WordPress vulnerability analysis and mitigation

The Cost Calculator Builder PRO plugin for WordPress contains a price manipulation vulnerability (CVE-2024-6010) affecting all versions up to and including 3.2.1. The vulnerability was discovered and reported by Wordfence, with initial disclosure on September 7, 2024. This security issue affects the WordPress plugin's price calculation functionality (NVD).

The vulnerability stems from the plugin allowing price field manipulation prior to processing via the 'createccorder' function, which is called from the Cost Calculator Builder plugin. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-472 (External Control of Assumed-Immutable Web Parameter) (Wordfence).

The vulnerability allows unauthenticated attackers to manipulate the price of orders submitted through the calculator. This could potentially lead to financial impact for websites using the affected plugin by allowing customers to modify prices during the order process (NVD).

A partial patch was released with Cost Calculator Builder version 3.2.17. Users are advised to update their installations to the latest version to mitigate this vulnerability (NVD).