Cybersecurity Vulnerabilities

CVE-2025-12529: Critical File Deletion Vulnerability Plagues Cost Calculator Builder Plugin

December 2, 2025 - By 

Overview

A high-severity vulnerability, identified as CVE-2025-12529, has been discovered in the Cost Calculator Builder plugin for WordPress. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server. Exploitation of this vulnerability can lead to remote code execution, potentially compromising the entire WordPress site. This issue affects all versions up to, and including, 3.6.3 of the plugin, but is only exploitable when the Pro version of the Cost Calculator Builder plugin is also installed along with the free version.

Technical Details

The vulnerability stems from insufficient file path validation within the deleteOrdersFiles() function of the Cost Calculator Builder plugin. Specifically, the plugin fails to properly sanitize file paths before passing them to deletion functions when an administrator deletes orders. An unauthenticated attacker can inject malicious file paths into the order data, leading to the deletion of arbitrary files on the server when an administrator performs order deletion. This is particularly dangerous if an attacker manages to delete critical files like wp-config.php, potentially leading to site takeover or remote code execution.

The problematic code can be found in the following files (as of version 3.6.1):

CVSS Analysis

  • CVE ID: CVE-2025-12529
  • Severity: HIGH
  • CVSS Score: 8.8

A CVSS score of 8.8 indicates a high-severity vulnerability. The ease of exploitation (unauthenticated access) coupled with the potential for significant impact (arbitrary file deletion and potential RCE) makes this a critical issue.

Possible Impact

Successful exploitation of this vulnerability can have severe consequences:

  • Arbitrary File Deletion: Attackers can delete any file accessible to the web server user, including configuration files, plugin files, or even core WordPress files.
  • Remote Code Execution (RCE): Deletion of specific files, such as wp-config.php, can lead to the exposure of sensitive information and potential remote code execution.
  • Website Defacement: Deletion of theme files or other critical assets can lead to website defacement or complete site unavailability.
  • Data Loss: The attacker can potentially delete database backups or other crucial data, leading to significant data loss.

Mitigation and Patch Steps

The most crucial step is to update the Cost Calculator Builder plugin to the latest version as soon as a patch is available. Check the WordPress plugin repository or the plugin developer’s website for updates.

In the meantime, while waiting for a patch, consider the following mitigations:

  • Disable the Cost Calculator Builder Plugin: If possible, temporarily disable the plugin until an update is available.
  • Monitor Administrator Activity: Closely monitor administrator activity related to order management for any suspicious patterns.
  • Web Application Firewall (WAF): Implement a WAF with rules that can detect and block attempts to inject malicious file paths.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *