Skip to main content

QuanticaLabs Cost Calculator CVE-2025-54047

MEDIUM
Missing Authorization (CWE-862)
2025-07-16 audit@patchstack.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:42 NVD
4.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in QuanticaLabs Cost Calculator ql-cost-calculator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cost Calculator: from n/a through <= 7.4.

AnalysisAI

Missing authorization controls in QuanticaLabs Cost Calculator WordPress plugin version 7.4 and earlier allow unauthenticated or low-privileged attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability enables attackers to access or modify calculator functionality that should be restricted, with an extremely low exploitation probability (EPSS 0.05%) suggesting minimal real-world attack activity despite the access control weakness.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a classic access control flaw where the application fails to enforce proper permission checks on sensitive operations. In the context of the QuanticaLabs Cost Calculator WordPress plugin (CPE matches wp:quanticalabs:cost-calculator:*:*), the plugin likely exposes calculator endpoints or administrative functions without verifying user roles or permissions before allowing execution. This is a common pattern in WordPress plugin development where REST API endpoints or AJAX handlers are inadvertently left unprotected by missing capability checks (e.g., omitting current_user_can() checks in PHP).

Affected ProductsAI

QuanticaLabs Cost Calculator WordPress plugin version 7.4 and earlier are affected. The plugin is available on WordPress.org and is tracked as wp:quanticalabs:cost-calculator. According to the Patchstack vulnerability database, the affected version range is from initial release through version 7.4 inclusive.

RemediationAI

Update QuanticaLabs Cost Calculator to the latest patched version released after 7.4 (exact version number not specified in available advisory data; check WordPress.org plugin page or Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ql-cost-calculator/vulnerability/wordpress-cost-calculator-plugin-7-4-broken-access-control-vulnerability for the minimum safe version). If automatic update is unavailable, manually verify that your plugin version is greater than 7.4. As a temporary workaround pending patch application, restrict plugin functionality via WordPress role management or disable the plugin if not actively required.

Share

CVE-2025-54047 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy