CVE-2025-9243: 
WordPress vulnerability analysis and mitigation

The Cost Calculator Builder plugin for WordPress contains a vulnerability (CVE-2025-9243) discovered and disclosed on October 3, 2025. The vulnerability affects all versions up to and including 3.5.32, and is related to unauthorized modification of data due to missing capability checks in specific functions. This security issue impacts the plugin's order management functionality (NVD).

The vulnerability stems from missing capability checks in the getccorders and updateorderstatus functions. The issue has been assigned a CVSS v3.1 Base Score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. The vulnerability is classified as CWE-862 (Missing Authorization) (NVD, Tenable).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to access order management functions and modify order status without proper authorization. This could lead to unauthorized access to sensitive order information and the ability to manipulate order statuses (NVD).

The vulnerability has been patched in version 3.5.33 of the Cost Calculator Builder plugin. Users are advised to update to this version or later to address the security issue (WordPress Plugin).