CVE-2024-6010

EUVD-2024-47174

07.09.2024, 12:15

The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.2.1. This is due to the plugin allowing the price field to be manipulated prior to processing via the 'create_cc_order' function, called from the Cost Calculator Builder plugin. This makes it possible for unauthenticated attackers to manipulate the price of orders submitted via the calculator. Note: this vulnerability was partially patched with the release of Cost Calculator Builder version 3.2.17.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 57%

Affected Products (NVD)

Vendor	Product	Version
stylemixthemes	cost_calculator_builder	𝑥 ≤ 3.1.96

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
stylemixthemes	cost_calculator_builder_pro	𝑥 ≤ 3.2.1	ADP

Common Weakness Enumeration

CWE-472 - External Control of Assumed-Immutable Web Parameter
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

References

https://docs.stylemixthemes.com/cost-calculator-builder/changelog-1/changelog-pro-version

https://plugins.trac.wordpress.org/browser/cost-calculator-builder/trunk/frontend/dist/order.js

https://plugins.trac.wordpress.org/changeset/3172590/

https://www.wordfence.com/threat-intel/vulnerabilities/id/fc04e676-e394-488e-a239-95af5f865613?source=cve