📄 Description (English)
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR) in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccb_woocommerce_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the renderWooCommercePayment() function passing user-controlled data directly to CCBWooCheckout::init() without authorization checks. This makes it possible for unauthenticated attackers to add WooCommerce products to their cart with attacker-controlled prices.
🤖 AI Executive Summary
CVE-2025-14755 is a medium-severity vulnerability in the Cost Calculator Builder WordPress plugin (versions ≤4.0.1 with PRO) that allows unauthenticated attackers to manipulate product prices in WooCommerce carts through an unprotected AJAX endpoint. This vulnerability enables price manipulation attacks without authentication, potentially leading to revenue loss and fraudulent transactions. The vulnerability is particularly concerning for Saudi e-commerce platforms and online retailers using this plugin combination.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 29, 2026 14:18
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi e-commerce sector, particularly online retailers, digital marketplaces (Noon, Zando, local SME retailers), and financial institutions processing online transactions. Banking sector (SAMA-regulated entities) and payment service providers are at risk if they integrate WooCommerce-based solutions. Government procurement portals and healthcare e-commerce platforms using this plugin combination are also vulnerable. The vulnerability enables revenue fraud and inventory manipulation, directly impacting Saudi businesses' financial integrity and customer trust.
🏢 Affected Saudi Sectors
E-commerce and Online Retail
Banking and Financial Services
Payment Service Providers
Government Procurement Portals
Healthcare E-commerce
Telecommunications (online billing)
Digital Marketplaces
SME Online Retailers
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application: Unauthenticated AJAX endpoint exploitation
T1566 - Phishing: Potential for fraudulent transaction schemes
T1578 - Modify Cloud Compute Infrastructure: Price manipulation for financial gain
T1583 - Acquire Infrastructure: Potential for coordinated price manipulation attacks
T1589 - Gather Victim Identity Information: Exploitation of customer transaction data
T1592 - Gather Victim Host Information: Reconnaissance of vulnerable WooCommerce installations
T1040 - Network Sniffing: Interception of unprotected AJAX communications
T1110 - Brute Force: Potential for automated price manipulation attempts
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all WordPress installations using Cost Calculator Builder plugin (versions ≤4.0.1) combined with PRO version
2. Disable the vulnerable plugin immediately if not critical to operations
3. Implement Web Application Firewall (WAF) rules to block ccb_woocommerce_payment AJAX requests from unauthenticated users
4. Review transaction logs for suspicious price modifications in the past 30 days
PATCHING GUIDANCE:
1. Monitor plugin repository for security updates (currently no patch available)
2. Contact plugin vendor for timeline on security patch
3. Consider alternative cost calculator plugins with security certifications
COMPENSATING CONTROLS:
1. Implement server-side price validation: verify all cart prices against product database before checkout
2. Add authentication requirement to all AJAX endpoints via wp_verify_nonce() checks
3. Implement rate limiting on checkout/payment AJAX endpoints
4. Enable WooCommerce transaction logging and monitoring
5. Deploy IDS/IPS rules to detect price manipulation patterns
DETECTION RULES:
1. Monitor wp-admin/admin-ajax.php for ccb_woocommerce_payment requests without valid user sessions
2. Alert on cart price discrepancies exceeding 10% from product database values
3. Track failed authorization attempts on payment processing endpoints
4. Monitor for bulk price manipulation attempts from single IP addresses
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات WordPress التي تستخدم إضافة Cost Calculator Builder (الإصدارات ≤4.0.1) مع الإصدار PRO
2. تعطيل الإضافة المعرضة للخطر فوراً إذا لم تكن حرجة للعمليات
3. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) لحجب طلبات AJAX ccb_woocommerce_payment من المستخدمين غير المصرحين
4. مراجعة سجلات المعاملات للتحقق من تعديلات الأسعار المريبة في آخر 30 يوماً
إرشادات التصحيح:
1. مراقبة مستودع الإضافات للحصول على تحديثات الأمان (لا يوجد تصحيح متاح حالياً)
2. الاتصال بمورد الإضافة للحصول على جدول زمني لتصحيح الأمان
3. النظر في بدائل إضافات حاسبة التكاليف المعتمدة أماناً
الضوابط التعويضية:
1. تطبيق التحقق من صحة الأسعار من جانب الخادم: التحقق من جميع أسعار العربة مقابل قاعدة بيانات المنتجات قبل الدفع
2. إضافة متطلبات المصادقة لجميع نقاط نهاية AJAX عبر فحوصات wp_verify_nonce()
3. تطبيق تحديد معدل الطلبات على نقاط نهاية AJAX للدفع/الخروج
4. تفعيل تسجيل ومراقبة معاملات WooCommerce
5. نشر قواعد IDS/IPS للكشف عن أنماط معالجة الأسعار
قواعد الكشف:
1. مراقبة wp-admin/admin-ajax.php لطلبات ccb_woocommerce_payment بدون جلسات مستخدم صحيحة
2. التنبيه على تناقضات أسعار العربة التي تتجاوز 10% من قيم قاعدة بيانات المنتجات
3. تتبع محاولات الفشل في التفويض على نقاط نهاية معالجة الدفع
4. مراقبة محاولات معالجة الأسعار بكميات كبيرة من عناوين IP الفردية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control: Unauthenticated AJAX endpoint violates access control requirements
ECC 2024 A.5.2.1 - User Authentication: Missing authentication on sensitive payment operations
ECC 2024 A.5.3.1 - Authorization: Insufficient authorization checks on price modification functions
ECC 2024 A.6.1.2 - Cryptography: Transaction integrity not protected against price manipulation
🔵 SAMA CSF
SAMA CSF ID.AM-2: Asset Management - Identify and manage WooCommerce-based payment systems
SAMA CSF PR.AC-1: Access Control - Implement authentication for all payment-related endpoints
SAMA CSF PR.AC-3: Access Control - Enforce authorization on sensitive financial transactions
SAMA CSF DE.CM-1: Detection and Analysis - Monitor for unauthorized price modifications
SAMA CSF RC.RP-1: Recovery Planning - Establish transaction rollback procedures for fraudulent orders
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - User Access Management: Authentication controls missing on AJAX endpoints
ISO 27001:2022 A.5.3 - Access Control: Authorization checks not implemented for price manipulation
ISO 27001:2022 A.8.2 - Cryptography: Transaction integrity controls inadequate
ISO 27001:2022 A.12.4 - Logging: Insufficient logging of unauthorized access attempts
ISO 27001:2022 A.14.2 - Change Management: Vulnerable plugin versions not properly managed
🟣 PCI DSS v4.0.1
PCI DSS 1.2.1 - Firewall Configuration: WAF rules needed to block unauthorized payment requests
PCI DSS 2.1 - Default Security Parameters: AJAX endpoints require authentication enforcement
PCI DSS 6.5.1 - Injection Flaws: Price manipulation through unvalidated user input
PCI DSS 6.5.10 - Broken Authentication: Missing authentication on payment processing
PCI DSS 10.2 - Logging: Implement comprehensive logging of all payment transaction attempts
🔗 References & Sources 3
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/fe684f43-8442-4b29-84a8-da8c6...
security@wordfence.com