Unauthenticated Price Manipulation in Cost Calculator Builder by WordPress
CVE-2025-14755

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Cost Calculator Builder
Vendor: CVE Published:; 13 May 2026

What is CVE-2025-14755?

The Cost Calculator Builder plugin for WordPress is susceptible to vulnerabilities that enable unauthenticated users to manipulate pricing. Specifically, the ccb_woocommerce_payment AJAX action, which is registered via wp_ajax_nopriv, grants unauthenticated access to the function. This implementation flaw allows attackers to bypass authentication and submit unauthorized pricing information, enabling them to add WooCommerce products to their cart at dynamically controlled prices. The vulnerability is prevalent in all versions up to and including 4.0.1, particularly when used alongside Cost Calculator Builder PRO.

Affected Version(s)

Cost Calculator Builder 0 <= 4.0.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/cost-calculato...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Dec 15, 2025

Credit

andrea bocchetti

CVE-2025-14755 Data

JSON