Cost Calculator Builder Payment Status Bypass Vulnerability

A vulnerability exists in the Cost Calculator Builder plugin for WordPress, specifically in versions through 3.6.9, when used with Cost Calculator Builder PRO. The issue allows unauthenticated users to bypass payment status checks and mark orders as 'completed' without actual payment. This vulnerability arises because the 'complete_payment' AJAX action is available to unauthenticated users and the corresponding function only verifies a nonce, lacking proper checks for user capabilities or order ownership. Nonces are publicly accessible via the page source, enabling any unauthenticated attacker to exploit this flaw.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of order payment statuses, potentially leading to financial discrepancies or abuse of the ordering system.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a request to the 'complete_payment' AJAX action. This request must include a valid nonce, which can be obtained from the 'window.ccb_nonces' variable available in the page source. The absence of checks for user capabilities or order ownership allows the attacker to successfully mark any order's payment status as 'completed'.

Remediation

Users are advised to update the Cost Calculator Builder plugin to version 3.6.10 or later, where this vulnerability has been patched.