Can you explain this vulnerability to me?

This vulnerability exists in the Cost Calculator Builder plugin for WordPress, where insufficient validation of file paths in the deleteOrdersFiles() function allows unauthenticated attackers to inject arbitrary file paths. When an administrator deletes orders, these injected paths can cause arbitrary files to be deleted, potentially leading to remote code execution if critical files like wp-config.php are removed. The vulnerability affects all versions up to and including 3.6.3 and requires both the free and Pro versions of the plugin to be installed to be exploitable.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts including unauthorized deletion of arbitrary files on the server hosting the WordPress site. This can lead to remote code execution, allowing attackers to run malicious code remotely, potentially compromising the entire website and server. It can result in data loss, website downtime, and unauthorized access to sensitive information.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately update or remove the Cost Calculator Builder plugin if you have versions up to and including 3.6.3 installed. Ensure that the Pro version is not installed alongside the free version, as exploitation requires both. Additionally, restrict administrator actions to trusted users only and monitor for suspicious file deletions, especially of critical files like wp-config.php.

Useful 0 Not Useful 0