CVE-2025-12529
Published: 02 December 2025
Summary
CVE-2025-12529 is a high-severity External Control of File Name or Path (CWE-73) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient file path validation in deleteOrdersFiles() by requiring validation of injected order file paths to block arbitrary deletions.
Mandates timely flaw remediation, including patching the Cost Calculator Builder plugin beyond version 3.6.3 to eliminate the vulnerability.
Restricts user installation of vulnerable third-party WordPress plugins like Cost Calculator Builder free and pro versions required for exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated exploitation of public-facing WordPress plugin (T1190) enables arbitrary file deletion (T1107) via injected paths triggered by admin action.
NVD Description
The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and including, 3.6.3. This makes it possible for unauthenticated attackers to inject…
more
arbitrary file paths into the orders that are removed, when an administrator deletes them. This can lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability requires the Cost Calculator Builder Pro version to be installed along with the free version in order to be exploitable.
Deeper analysisAI
CVE-2025-12529 affects the Cost Calculator Builder plugin for WordPress, specifically due to insufficient file path validation in the deleteOrdersFiles() function within all versions up to and including 3.6.3. This flaw enables arbitrary file deletion on the server. Exploitation requires both the free version and the Cost Calculator Builder Pro version to be installed simultaneously. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-73 (External Control of File Name or Path).
Unauthenticated attackers can exploit this by injecting arbitrary file paths into orders stored by the plugin. When a WordPress administrator subsequently deletes these orders, the plugin processes the injected paths without validation, resulting in the deletion of targeted files. Deleting critical files such as wp-config.php can lead to remote code execution, granting attackers high confidentiality, integrity, and availability impacts, though it relies on administrator user interaction to trigger the deletion.
References include source code locations in CCBOrderController.php at lines 262 and 513 from version 3.6.1, highlighting the vulnerable deleteOrdersFiles() implementation, along with a Wordfence threat intelligence advisory detailing the issue. No specific patch details are provided in the CVE data, but updating beyond version 3.6.3 is implied as necessary for mitigation.
Details
- CWE(s)