CVE-2025-12529

Name of the Vulnerable Software and Affected Versions Cost Calculator Builder plugin for WordPress versions up to and including 3.6.3

Description The Cost Calculator Builder plugin for WordPress is susceptible to arbitrary file deletion due to inadequate file path validation within the deleteOrdersFiles() function. This allows unauthenticated attackers to inject arbitrary file paths into orders that are removed by an administrator. Exploitation could lead to remote code execution if a critical file, such as wp-config.php, is deleted. The Cost Calculator Builder Pro version must be installed alongside the free version for successful exploitation.

Recommendations Versions prior to 3.6.4 should be updated.