Refine your search
4 vulnerabilities found for Cost Calculator Builder by Stylemix
CVE-2025-12529 (GCVE-0-2025-12529)
Vulnerability from nvd
Published
2025-12-02 01:51
Modified
2025-12-02 16:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-73 - External Control of File Name or Path
Summary
The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and including, 3.6.3. This makes it possible for unauthenticated attackers to inject arbitrary file paths into the orders that are removed, when an administrator deletes them. This can lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability requires the Cost Calculator Builder Pro version to be installed along with the free version in order to be exploitable.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| stylemix | Cost Calculator Builder |
Version: * ≤ 3.6.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12529",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T16:51:42.382546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T16:55:33.155Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cost Calculator Builder",
"vendor": "stylemix",
"versions": [
{
"lessThanOrEqual": "3.6.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "JEONG YU CHAN"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and including, 3.6.3. This makes it possible for unauthenticated attackers to inject arbitrary file paths into the orders that are removed, when an administrator deletes them. This can lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability requires the Cost Calculator Builder Pro version to be installed along with the free version in order to be exploitable."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T01:51:56.201Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4154684d-3f9b-418f-b9d1-a5d22d4d84d3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.1/includes/classes/CCBOrderController.php#L513"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.1/includes/classes/CCBOrderController.php#L262"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-18T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-10-30T18:14:05.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-01T11:27:40.000+00:00",
"value": "Disclosed"
}
],
"title": "Cost Calculator Builder \u003c= 3.6.3 - Unauthenticated Arbitrary File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12529",
"datePublished": "2025-12-02T01:51:56.201Z",
"dateReserved": "2025-10-30T17:54:27.730Z",
"dateUpdated": "2025-12-02T16:55:33.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62049 (GCVE-0-2025-62049)
Vulnerability from nvd
Published
2025-11-06 15:55
Modified
2025-11-13 10:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in Stylemix Cost Calculator Builder cost-calculator-builder.This issue affects Cost Calculator Builder: from n/a through <= 3.5.32.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Stylemix | Cost Calculator Builder |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-62049",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:11:29.511677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:12:03.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cost-calculator-builder",
"product": "Cost Calculator Builder",
"vendor": "Stylemix",
"versions": [
{
"changes": [
{
"at": "3.5.33",
"status": "unaffected"
}
],
"lessThanOrEqual": "\u003c= 3.5.32",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2025-11-06T16:47:28.991Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Stylemix Cost Calculator Builder cost-calculator-builder.\u003cp\u003eThis issue affects Cost Calculator Builder: from n/a through \u003c= 3.5.32.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Stylemix Cost Calculator Builder cost-calculator-builder.This issue affects Cost Calculator Builder: from n/a through \u003c= 3.5.32."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T10:33:47.048Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/cost-calculator-builder/vulnerability/wordpress-cost-calculator-builder-plugin-3-5-32-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Cost Calculator Builder plugin \u003c= 3.5.32 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-62049",
"datePublished": "2025-11-06T15:55:44.281Z",
"dateReserved": "2025-10-07T15:34:31.733Z",
"dateUpdated": "2025-11-13T10:33:47.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12529 (GCVE-0-2025-12529)
Vulnerability from cvelistv5
Published
2025-12-02 01:51
Modified
2025-12-02 16:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-73 - External Control of File Name or Path
Summary
The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and including, 3.6.3. This makes it possible for unauthenticated attackers to inject arbitrary file paths into the orders that are removed, when an administrator deletes them. This can lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability requires the Cost Calculator Builder Pro version to be installed along with the free version in order to be exploitable.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| stylemix | Cost Calculator Builder |
Version: * ≤ 3.6.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12529",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T16:51:42.382546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T16:55:33.155Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cost Calculator Builder",
"vendor": "stylemix",
"versions": [
{
"lessThanOrEqual": "3.6.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "JEONG YU CHAN"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and including, 3.6.3. This makes it possible for unauthenticated attackers to inject arbitrary file paths into the orders that are removed, when an administrator deletes them. This can lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability requires the Cost Calculator Builder Pro version to be installed along with the free version in order to be exploitable."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T01:51:56.201Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4154684d-3f9b-418f-b9d1-a5d22d4d84d3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.1/includes/classes/CCBOrderController.php#L513"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.1/includes/classes/CCBOrderController.php#L262"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-18T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-10-30T18:14:05.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-01T11:27:40.000+00:00",
"value": "Disclosed"
}
],
"title": "Cost Calculator Builder \u003c= 3.6.3 - Unauthenticated Arbitrary File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12529",
"datePublished": "2025-12-02T01:51:56.201Z",
"dateReserved": "2025-10-30T17:54:27.730Z",
"dateUpdated": "2025-12-02T16:55:33.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62049 (GCVE-0-2025-62049)
Vulnerability from cvelistv5
Published
2025-11-06 15:55
Modified
2025-11-13 10:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in Stylemix Cost Calculator Builder cost-calculator-builder.This issue affects Cost Calculator Builder: from n/a through <= 3.5.32.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Stylemix | Cost Calculator Builder |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-62049",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:11:29.511677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:12:03.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cost-calculator-builder",
"product": "Cost Calculator Builder",
"vendor": "Stylemix",
"versions": [
{
"changes": [
{
"at": "3.5.33",
"status": "unaffected"
}
],
"lessThanOrEqual": "\u003c= 3.5.32",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2025-11-06T16:47:28.991Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Stylemix Cost Calculator Builder cost-calculator-builder.\u003cp\u003eThis issue affects Cost Calculator Builder: from n/a through \u003c= 3.5.32.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Stylemix Cost Calculator Builder cost-calculator-builder.This issue affects Cost Calculator Builder: from n/a through \u003c= 3.5.32."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T10:33:47.048Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/cost-calculator-builder/vulnerability/wordpress-cost-calculator-builder-plugin-3-5-32-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Cost Calculator Builder plugin \u003c= 3.5.32 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-62049",
"datePublished": "2025-11-06T15:55:44.281Z",
"dateReserved": "2025-10-07T15:34:31.733Z",
"dateUpdated": "2025-11-13T10:33:47.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}