What the vulnerability does
01Description
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR) in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccb_woocommerce_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the renderWooCommercePayment() function passing user-controlled data directly to CCBWooCheckout::init() without authorization checks. This makes it possible for unauthenticated attackers to add WooCommerce products to their cart with attacker-controlled prices.
Explanation of Vulnerability in Simple Terms
02Summary
Cost Calculator Builder through version 4.0.1 lacks proper authorization checks, allowing unauthenticated attackers to modify data via network requests. The vulnerability does not expose sensitive information or disrupt service availability, but permits unauthorized changes to calculator configurations or stored values. Site administrators should update to a version newer than 4.0.1 when available.
What an attacker can do
03Attacker Capabilities
Modify calculator data or settings without authentication.
Potential impact on your site
04Site Impact
Attackers can alter cost calculator configurations, pricing, or results visible to site visitors.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 13, 2026
CVE published
May 13, 2026
Record updated