Stop Broken Access Control in WordPress Plugins//Published on 2026-05-13//CVE-2025-14755

WP-FIREWALL SECURITY TEAM

Cost Calculator Builder Vulnerability

Plugin Name Cost Calculator Builder
Type of Vulnerability Broken Access Control
CVE Number CVE-2025-14755
Urgency Low
CVE Publish Date 2026-05-13
Source URL CVE-2025-14755

Urgent Security Notice: Broken Access Control in Cost Calculator Builder (≤ 4.0.1) — What WordPress Site Owners Must Do Now

Author: WP‑Firewall Security Team
Date: 2026-05-13

Summary

A broken access control vulnerability (CVE-2025-14755) affecting the Cost Calculator Builder WordPress plugin (versions up to and including 4.0.1) allows unauthenticated users to manipulate price data and exploit insecure direct object references (IDOR). Although classified as low severity (CVSS 5.3), this issue can be leveraged for fraud, revenue loss, and downstream abuse on sites using the plugin for quotes, pricing calculators, or checkout flows. The plugin author released a fix in version 4.0.2. This post explains the risk, how attackers abuse it, how to detect exploitation, step-by-step mitigation and short-term hardening, and how WP‑Firewall can protect your site while you patch.

Why this matters (plain language)

If you run a WordPress site that uses built-in calculators or a quoting system (Cost Calculator Builder), attackers can interact with the plugin’s API endpoints without logging in. That lack of authorization allows the attacker to:

  • change displayed or submitted prices in a way the site owner never intended,
  • place orders or generate quotes with manipulated values,
  • exploit business logic to obtain services or discounts for free, and
  • potentially pivot to other parts of the site if any downstream logic trusts the manipulated values.

Even when a vulnerability is labeled “low” by a scoring system, the real-world impact can be significant — especially for small businesses and stores that rely on online quotes, estimates, or integrated pricing calculators.

What the vulnerability is (technical overview)

  • Affected software: Cost Calculator Builder plugin for WordPress, versions ≤ 4.0.1.
  • Patched in: version 4.0.2.
  • Classification: Broken Access Control with Insecure Direct Object Reference (IDOR).
  • CVE: CVE‑2025‑14755
  • Required privilege to exploit: None (unauthenticated).

At a high level, the plugin exposes endpoints (AJAX, REST, or form handlers) that accept requests which update or return pricing information. These endpoints do not properly validate:

  1. The identity or privilege of the caller (missing or insufficient authorization checks), and
  2. That the object identifier passed (e.g., quote_id, calculator_id, or item_id) actually belongs to the session or user making the request.

When either of those checks are missing, an unauthenticated actor can craft requests that target arbitrary quote IDs or calculator entries and alter price values, leading to price manipulation.

Important: We intentionally avoid publishing exploit payloads or step‑by‑step attack recipes. This post focuses on detection and mitigation so site owners and administrators can act quickly and safely.

How an attacker might abuse this vulnerability (attack scenarios)

Below are realistic abuse scenarios we’ve observed in similar cases. These are illustrative — not instructions.

  • Price bypass for quote-based services: An attacker submits a request that alters the price of a quote to a much smaller amount (or zero), then uses the manipulated quote to request services or to pay less than intended. If downstream fulfillment relies on the submitted quote without revalidating price server-side, the attacker receives the service at the manipulated rate.
  • Free or reduced checkout: When calculators are used to determine an order total for a checkout process, manipulated values can reduce or eliminate totals. If the e-commerce flow trusts the calculator output without a server-side recomputation, attackers can complete purchases for less or free.
  • Mass abuse: Because the endpoint is unauthenticated, attackers can script bulk requests against many calculator IDs (enumeration + IDOR) to manipulate many quotes or create fraudulent orders at scale.
  • Reputation or business damage: Attackers can deliberately post incorrect pricing information (such as negative or ridiculously low prices) visible to customers, causing confusion or reputational harm.

Even if the financial loss is limited, these incidents trigger operational costs: investigations, refunds, customer support load, and potential regulatory obligations depending on your region.

Signs your site may have been targeted

Check for the following indicators in your logs and admin area:

  • Unexpected price or quote changes recorded in your database (new entries showing prices that contradict expected business logic).
  • Orders, appointments, or service requests with zero/near-zero totals or suspicious discount values.
  • Access logs showing calls to calculator or AJAX endpoints from unusual IPs, bots, or repeated requests with different object IDs (enumeration patterns).
  • High volume of POST requests to calculator endpoints from a small number of IPs.
  • Unexplained admin notifications, email confirmations, or new submissions that do not match normal customer behavior.
  • Unusual sequences in audit trails (if your plugin logs changes to quotes, check for unauthenticated changes).

If you spot any of these, treat the site as potentially compromised and act quickly (see the Incident Response section below).

Immediate steps you must take (short-term mitigation)

  1. Update the plugin right now
    • The vendor published a patch in version 4.0.2. Upgrading to 4.0.2 or later is the primary and recommended fix.
    • If you use managed WordPress hosting or a staging system, test the update in staging first. But if you can’t test quickly, prioritize the update on production and be ready to rollback if you have issues.
  2. If you cannot update immediately, disable the plugin
    • Temporarily deactivate the Cost Calculator Builder plugin to remove the vulnerable endpoints from public access until you can patch safely.
  3. Limit access to vulnerable endpoints (temporary WAF or web server rules)
    • Restrict the calculator endpoints so only trusted IPs can reach them; deny unauthenticated public access to endpoints used to update prices or quotes.
    • Example options:
      • Block requests to the plugin’s AJAX or REST endpoints unless they include expected authenticated cookies or known server-side tokens.
      • Use .htaccess/nginx rules to deny public POSTs to specific plugin PHP files.
    • Note: These mitigations are stopgaps — follow up with the official plugin update.
  4. Harden form submissions and AJAX calls
    • Check whether forms or AJAX handlers present in your theme or customizations perform server-side price recomputation or trust client-submitted totals. If the latter, change logic to recompute totals server-side based on canonical data after the patch is applied.
  5. Apply rate limiting and bot protection
    • Add rate limits that make mass enumeration or brute-force price manipulation impractical.
    • Implement Captcha on quote submission endpoints if appropriate.
  6. Monitor logs and set alerts
    • Deploy monitoring to alert on anomalies: sudden spike of price updates, many POST requests to the same endpoint, or many different object‑ID parameters coming from a single IP range.

Recommended WAF controls (how WP‑Firewall helps)

While the plugin should be patched by the developer, a web application firewall (WAF) can greatly reduce the window of risk. Here are rule examples WP‑Firewall can implement immediately (conceptual pseudo-rules — your WAF console will present specific configuration options):

  • Block unauthenticated access to calculator modification endpoints:
    • If request path matches /wp-admin/admin-ajax.php or plugin-specific path AND action parameter is “update_price” (or other price-update actions) AND no valid WP logged-in cookie present -> BLOCK.
  • Block suspicious price values:
    • If request body includes parameter price and price <= 0 or price < (expected minimum) -> BLOCK and LOG.
  • Prevent IDOR via session-object binding:
    • If request references quote_id/item_id but the session cookie does not match the owner -> CHALLENGE or BLOCK.
  • Detect and throttle enumeration:
    • If a single IP requests > X different calculator/quote IDs in Y minutes -> RATE LIMIT or BLOCK.
  • Prevent parameter tampering:
    • If request has mismatched referer/header or missing expected nonce header for authenticated actions -> BLOCK.

WP‑Firewall can also deliver virtual/temporary patches (application-level rules applied at the WAF layer) while you plan and deploy the official plugin update. Virtual patching reduces the attack surface and buys time without updating code.

How to validate the fix after updating

After upgrading to 4.0.2 (or later):

  1. Re-test critical flows in a staging environment:
    • Submit quotes and run through the calculation and checkout flow.
    • Validate that price values computed by server-side logic match expected totals.
    • Confirm that only authenticated/authorized APIs update stored price data.
  2. Monitor server logs for residual malicious attempts:
    • Keep WAF logging active for at least two weeks and watch for blocked attempts against calculator endpoints.
    • Investigate any attempts that successfully reached the site prior to the patch.
  3. Check database integrity:
    • Ensure no fraudulent orders, manipulated quotes, or unexpected discount entries are present.
    • If you find suspicious entries, follow the Incident Response guidance below.
  4. Rotate API keys and relevant credentials:
    • If the plugin or site used any API credentials exposed in logs or files, rotate them.

Incident Response: What to do if you were exploited

If you detect signs of exploitation, follow these steps:

  1. Isolate and contain
    • Take the vulnerable plugin offline (deactivate or block endpoint access) immediately.
    • If necessary, temporarily put the site in maintenance mode to prevent further fraud.
  2. Preserve evidence
    • Collect webserver logs, database snapshots, and plugin logs for forensic analysis.
    • Snapshot the site and database (read-only) to avoid altering evidence.
  3. Triage scope and impact
    • Identify which quote IDs, orders, or user accounts were affected.
    • Calculate the financial exposure and possible data leakage.
  4. Clean up and recover
    • Remove manipulated entries where possible and restore from a clean backup if necessary.
    • Rotate credentials that could have been involved (admin accounts, API keys).
    • Apply the plugin patch (4.0.2+) and any other missing security updates.
  5. Notify stakeholders
    • Depending on your business, you may need to notify affected customers, internal teams, or regulators.
    • Be transparent about the action you took, and provide remediation steps for affected customers.
  6. Learn and harden
    • After recovery, conduct a post-incident review. Update processes so updates/patches are applied faster in the future.
    • Add ongoing monitoring and WAF rules to prevent recurrence.

If you’re uncertain about the technical steps or lack in-house resources, engage a trusted WordPress security provider or a professional incident response team.

Developer guidance: How the plugin should have been built

For plugin authors and developers working on quote/calculation code, avoid these pitfalls:

  • Never trust client-side values for pricing or totals. Always recompute on the server using canonical data.
  • Use strong authorization checks for any action that modifies pricing, orders, or other business-critical data:
    • Verify capability: current_user_can(‘edit_post’, $object_id) or custom capability checks as relevant.
    • Enforce nonces for logged-in actions and CSRF tokens for REST endpoints.
  • Avoid exposing raw object IDs in ways that allow easy enumeration or manipulation. Map external identifiers to internal IDs on the server side.
  • Sanitize and validate all inputs. Reject suspicious price values (negative, zero, or outside expected ranges).
  • Log and audit changes to prices and quotes for forensic capability.
  • Implement rate limits and CAPTCHA where user-submitted pricing or quotes are common.
  • Security by design: include threat modeling in development cycles and run automated static and dynamic scans before release.

Practical checklist for site owners (quick reference)

Immediate (within hours):

  • Update Cost Calculator Builder to version 4.0.2 or later.
  • If unable to update, deactivate the plugin.
  • Enable WAF rules to block unauthenticated updates to calculator endpoints.
  • Monitor access logs for suspicious POSTs to calculator endpoints.
  • Put high-risk forms behind CAPTCHA or rate limiting.

Next 24–72 hours:

  • Recompute totals server-side and validate order integrity.
  • Scan database for suspicious orders/quotes.
  • Rotate admin and API credentials if compromise is suspected.

Ongoing:

  • Keep plugins and themes updated (apply patches promptly).
  • Use a managed WAF and malware scanner.
  • Maintain a tested backup and restore process.
  • Review and harden access control on custom integrations.

Example: safe WAF rule patterns (conceptual)

Below are conceptual filters you should consider. Your WP‑Firewall or other WAF console will allow you to create these kinds of protections without changing plugin code:

  • Deny unauthenticated POSTs to plugin endpoints:
    • Condition: request.path contains “/path/to/calc-endpoint” AND request.method == POST AND NOT cookie contains “wordpress_logged_in” -> action: BLOCK
  • Block likely manipulation by price parameter:
    • Condition: request.body contains “price” AND (price <= 0 OR price < expected_minimum) -> action: BLOCK + ALERT
  • Block rapid enumeration:
    • Condition: > 50 distinct values for parameter “quote_id” from same IP within 10 minutes -> action: RATE LIMIT or BLOCK
  • Enforce expected headers:
    • Condition: request.method == POST AND NOT header[“X-Requested-With”] == “XMLHttpRequest” -> action: CHALLENGE (CAPTCHA) or BLOCK

Note: Exact implementation varies by hosting environment. WP‑Firewall’s managed rules can be applied for you if you prefer not to craft rules manually.

Why patching matters even with a WAF in place

A WAF provides an important layer but it’s not a permanent substitute for a code-side patch. Virtual patching and firewall rules reduce the chance of exploitation but cannot fix bugs in application logic or prevent all creative abuse. Treat WAF protections as a short-to-medium-term mitigation while you apply the official plugin update and perform a full security review.

About WP‑Firewall’s approach to incidents like this

We operate as a proactive WordPress security provider. When a vulnerability like this is disclosed, our recommended approach to our customers is:

  • Immediate mitigation with managed WAF rules (virtual patching).
  • Prompt guidance to update plugins and confirm fixes.
  • Continuous monitoring for residual or attempted exploitation.
  • Assistance with incident triage and recovery if required.

If you’re already using WP‑Firewall, our team can apply temporary rules to block the vulnerability vectors described here while you schedule and test the plugin update.

Secure Your Site Today — Start with Our Free Protection Plan

If you manage WordPress sites and want a reliable, easy first step to reduce risk, try our Basic (Free) plan. It includes essential protections that help guard against the kind of broken access control exploited in this vulnerability:

  • Managed firewall with customizable WAF rules
  • Unlimited bandwidth for firewall traffic
  • Web Application Firewall (WAF) protections
  • Malware scanner to detect suspicious artifacts
  • Mitigation for OWASP Top 10 risks

Sign up for the free plan and let us protect your site while you patch or prepare updates: https://my.wp-firewall.com/buy/wp-firewall-free-plan/

(If you need more automation and remediation, our paid plans add automatic malware removal, blacklisting controls, monthly reports, and auto virtual patching.)

Closing notes: prioritized actions for busy site owners

  1. Patch the plugin to 4.0.2 immediately.
  2. If you cannot patch right away, deactivate the plugin and enable WAF rules to block calculator modification endpoints.
  3. Monitor logs, scan for suspicious orders/quotes, and remediate any fraud.
  4. Use defensive measures — virtual patching, rate limiting, and server-side validation — to reduce the attack surface.
  5. If you need help, bring in a WordPress security provider or use managed WAF services to get temporary protection while you fix the root cause.

Security incidents like this highlight a recurring theme: even small code omissions in add-on plugins can produce outsized risk. Timely updates, layered defenses (WAF + logging + monitoring), and a tested incident response plan are the best way to keep your WordPress site safe.

If you’d like assistance implementing immediate WAF rules or performing an urgent site inspection, our WP‑Firewall security team is ready to help. Sign up for our free plan to get essential protections right away and speak to our team about proactive support.

wordpress security update banner

Receive WP Security Weekly for Free 👋
Signup Now!!

Sign up to receive WordPress Security Update in your inbox, every week.

We don’t spam! Read our privacy policy for more info.

Contact us to schedule a complimentary WordPress Security consultation

Contact Us

WP-Firewall
6/F, The Rays, 71 Hung To Road, Kwun Tong, Kowloon, Hong Kong

Features Pricing Blog Login
Privacy Policy Terms of Service Docs Affiliate

© 2026 WP-Firewall™