CVE-2024-6010 MEDIUM

CVE-2024-6010: Cost Calculator Builder PRO <= 3.2.1 - Unauthenticated Price Manipulation

Vendor Stylemixthemes
Product Cost Calculator Builder PRO
Weakness CWE-472
Published September 7, 2024
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.2.1. This is due to the plugin allowing the price field to be manipulated prior to processing via the 'create_cc_order' function, called from the Cost Calculator Builder plugin. This makes it possible for unauthenticated attackers to manipulate the price of orders submitted via the calculator. Note: this vulnerability was partially patched with the release of Cost Calculator Builder version 3.2.17.

Explanation of Vulnerability in Simple Terms

02Summary

Cost Calculator Builder PRO versions up to 3.2.1 contain an integrity vulnerability that allows unauthenticated attackers to modify data via the network. The vulnerability requires no user interaction and can be exploited remotely. Site administrators should update to a version newer than 3.2.1 to remediate the issue.

What an attacker can do

03Attacker Capabilities

Modify data on the site without authentication.

Potential impact on your site

04Site Impact

Attackers can alter calculator configurations, pricing data, or form submissions without logging in.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

September 7, 2024 CVE published
April 8, 2026 Record updated