CVE-2024-6010

The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.2.1. This is due to the plugin allowing the price field to be manipulated prior to processing via the 'create_cc_order' function, called from the Cost Calculator Builder plugin. This makes it possible for unauthenticated attackers to manipulate the price of orders submitted via the calculator. Note: this vulnerability was partially patched with the release of Cost Calculator Builder version 3.2.17.
Configurations

Configuration 1 (hide)

cpe:2.3:a:stylemixthemes:cost_calculator_builder:*:*:*:*:pro:wordpress:*:*

History

23 Oct 2024, 16:15

Type Values Removed Values Added
Summary (en) The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.1.96. This is due to the plugin allowing the price field to be manipulated prior to processing via the 'create_cc_order' function, called from the Cost Calculator Builder plugin. This makes it possible for unauthenticated attackers to manipulate the price of orders submitted via the calculator. Note: this vulnerability was partially patched with the release of Cost Calculator Builder version 3.2.17. (en) The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.2.1. This is due to the plugin allowing the price field to be manipulated prior to processing via the 'create_cc_order' function, called from the Cost Calculator Builder plugin. This makes it possible for unauthenticated attackers to manipulate the price of orders submitted via the calculator. Note: this vulnerability was partially patched with the release of Cost Calculator Builder version 3.2.17.
References
  • () https://docs.stylemixthemes.com/cost-calculator-builder/changelog-1/changelog-pro-version -
  • () https://plugins.trac.wordpress.org/changeset/3172590/ -

26 Sep 2024, 16:06

Type Values Removed Values Added
First Time Stylemixthemes
Stylemixthemes cost Calculator Builder
CWE NVD-CWE-Other
CPE cpe:2.3:a:stylemixthemes:cost_calculator_builder:*:*:*:*:pro:wordpress:*:*
References () https://plugins.trac.wordpress.org/browser/cost-calculator-builder/trunk/frontend/dist/order.js - () https://plugins.trac.wordpress.org/browser/cost-calculator-builder/trunk/frontend/dist/order.js - Issue Tracking
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/fc04e676-e394-488e-a239-95af5f865613?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/fc04e676-e394-488e-a239-95af5f865613?source=cve - Third Party Advisory

09 Sep 2024, 13:03

Type Values Removed Values Added
Summary
  • (es) El complemento Cost Calculator Builder PRO para WordPress es vulnerable a la manipulación de precios en todas las versiones hasta la 3.1.96 incluida. Esto se debe a que el complemento permite manipular el campo de precio antes del procesamiento a través de la función 'create_cc_order', llamada desde el complemento Cost Calculator Builder. Esto hace posible que atacantes no autenticados manipulen el precio de los pedidos enviados a través de la calculadora. Nota: esta vulnerabilidad fue parcialmente corregida con el lanzamiento de la versión 3.2.17 de Cost Calculator Builder.

07 Sep 2024, 12:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-07 12:15

Updated : 2024-10-23 16:15


NVD link : CVE-2024-6010

Mitre link : CVE-2024-6010

CVE.ORG link : CVE-2024-6010


JSON object : View

Products Affected

stylemixthemes

  • cost_calculator_builder
CWE
NVD-CWE-Other CWE-472

External Control of Assumed-Immutable Web Parameter