CVE-2025-52775: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in Ronik@UnlimitedWP Project Cost Calculator plugin version 1.0.0 and earlier. The vulnerability was disclosed on August 11, 2025, and was assigned CVE-2025-52775. The vulnerability allows exploiting incorrectly configured access control security levels in the WordPress plugin (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 base score of 7.1 (HIGH). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H, indicating network accessibility, low attack complexity, low privileges required, no user interaction needed, and potential for high availability impact with low integrity impact (NVD, Patchstack).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. The issue is considered moderately dangerous and is expected to become exploited. The software is likely abandoned as it hasn't been updated for over a year, increasing the security risk (Patchstack).

No official fix is currently available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks. Users are advised to either implement the Patchstack virtual patch or remove and replace the software entirely, as it appears to be abandoned. Note that merely deactivating the software does not remove the security threat unless a virtual patch is deployed (Patchstack).