Cost Calculator Builder WordPress Plugin Arbitrary File Deletion Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the Cost Calculator Builder plugin for WordPress, affecting all versions through 3.6.3. The issue arises from inadequate file path validation in the deleteOrdersFiles() function, which enables unauthenticated attackers to inject arbitrary file paths into orders being deleted by an administrator. Exploiting this vulnerability could lead to remote code execution if a critical file, such as wp-config.php, is deleted. The vulnerability is only exploitable if both the free and Pro versions of the Cost Calculator Builder plugin are active.

Impact

Successful exploitation allows for arbitrary file deletion, which could be leveraged to execute remote code, particularly if a sensitive file like wp-config.php is removed.

Reproduction

To reproduce this vulnerability, an attacker can send a request to the WordPress site with an injected file path targeting the deleteOrdersFiles() function. This can be done by manipulating the order details of a calculator that uses file upload fields, such as by uploading a file through the calculator's front end and then deleting the order via the WordPress admin. The injected file path can be crafted to include a file that, when deleted, would allow for remote code execution.

Remediation

Users are advised to update the Cost Calculator Builder plugin to version 3.6.4 or later.