Cost Calculator Builder WordPress Plugin Missing Authorization Vulnerability in Order Management Functions
Vulnerability
A vulnerability exists in the Cost Calculator Builder plugin for WordPress, affecting all versions through 3.5.32. The issue arises from a lack of proper capability checks in the 'get_cc_orders' and 'update_order_status' functions. This flaw allows authenticated attackers with Subscriber-level access and above to manipulate order management functions and change order statuses.
Impact
Exploitation of this vulnerability could lead to unauthorized modifications of order statuses, potentially disrupting order management processes.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the WordPress site that includes the 'get_cc_orders' or 'update_order_status' action. The request will bypass the necessary authorization checks, allowing the user to access and modify order information.
Remediation
Users are advised to update the Cost Calculator Builder plugin to version 3.5.33 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.