CVE-2025-9243: 
WordPress vulnerability analysis and mitigation

The Cost Calculator Builder plugin for WordPress contains a vulnerability (CVE-2025-9243) discovered on October 3, 2025. The vulnerability affects all versions up to and including 3.5.32 and is related to unauthorized modification of data due to missing capability checks in specific functions. This security issue allows authenticated attackers with Subscriber-level access or higher to access order management functions and modify order status (NVD).

The vulnerability stems from missing capability checks on the get_cc_orders and update_order_status functions. The issue has been assigned a CVSS v3.1 Base Score of 8.1 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is classified as CWE-862 (Missing Authorization). The vulnerability allows authenticated users with minimal privileges to perform unauthorized actions on order management functions (NVD).

The vulnerability enables authenticated attackers with Subscriber-level access or higher to access order management functions and modify order status without proper authorization. This could lead to unauthorized access to sensitive order information and potential manipulation of order statuses, compromising the integrity of the order management system (NVD).

The vulnerability has been fixed in version 3.5.33 of the Cost Calculator Builder plugin. Users are advised to update to this version or later to address the security issue. No alternative workarounds have been provided (WordPress Plugin).