CVE-2025-12529

CVE-2025-12529 affects the Cost Calculator Builder plugin for WordPress, specifically due to insufficient file path validation in the deleteOrdersFiles() function within all versions up to and including 3.6.3. This flaw enables arbitrary file deletion on the server. Exploitation requires both the free version and the Cost Calculator Builder Pro version to be installed simultaneously. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-73 (External Control of File Name or Path).

Unauthenticated attackers can exploit this by injecting arbitrary file paths into orders stored by the plugin. When a WordPress administrator subsequently deletes these orders, the plugin processes the injected paths without validation, resulting in the deletion of targeted files. Deleting critical files such as wp-config.php can lead to remote code execution, granting attackers high confidentiality, integrity, and availability impacts, though it relies on administrator user interaction to trigger the deletion.

References include source code locations in CCBOrderController.php at lines 262 and 513 from version 3.6.1, highlighting the vulnerable deleteOrdersFiles() implementation, along with a Wordfence threat intelligence advisory detailing the issue. No specific patch details are provided in the CVE data, but updating beyond version 3.6.3 is implied as necessary for mitigation.