Time-Based SQL Injection in Cost Calculator Builder Plugin for WordPress
CVE-2025-2128

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Cost Calculator Builder
Vendor: CVE Published:; 11 April 2025

Summary

The Cost Calculator Builder plugin for WordPress is susceptible to a time-based SQL Injection through the 'order_ids' parameter, affecting all versions up to and including 3.2.67. This vulnerability arises from inadequate escaping of user-supplied input and poor SQL query preparation, allowing attackers with Subscriber-level access and higher to inject additional SQL queries. Such actions can lead to unauthorized access to sensitive information within the database, highlighting the importance of securing this plugin.

Affected Version(s)

Cost Calculator Builder * <= 3.2.67

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/cost-calculato...

https://wordpress.org/plugins/cost-calculator-builder/#de...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 11, 2025
Vulnerability Reserved
Mar 8, 2025

Credit

Michael Mazzolini