CVE-2025-2128: 
WordPress vulnerability analysis and mitigation

The Cost Calculator Builder plugin for WordPress contains a time-based SQL Injection vulnerability (CVE-2025-2128) affecting all versions up to and including 3.2.67. The vulnerability was discovered and disclosed on April 11, 2025, impacting authenticated users with Subscriber-level access and above (NVD).

The vulnerability exists in the 'order_ids' parameter due to insufficient escaping of user-supplied input and inadequate preparation of SQL queries. This allows authenticated attackers to append additional SQL queries to existing ones. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity and required privileges (NVD).

The vulnerability enables authenticated attackers to extract sensitive information from the database through SQL injection techniques. The CVSS score indicates high confidentiality impact, though integrity and availability are not affected (NVD).

The vulnerability has been patched in version 3.2.68 of the Cost Calculator Builder plugin. Users are advised to update to this version or later to mitigate the risk (WordPress Plugin).