Lifecycle Timeline
2DescriptionNVD
Missing Authorization vulnerability in QuanticaLabs Cost Calculator ql-cost-calculator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cost Calculator: from n/a through <= 7.4.
AnalysisAI
Missing authorization controls in QuanticaLabs Cost Calculator WordPress plugin version 7.4 and earlier allow unauthenticated or low-privileged attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability enables attackers to access or modify calculator functionality that should be restricted, with an extremely low exploitation probability (EPSS 0.05%) suggesting minimal real-world attack activity despite the access control weakness.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a classic access control flaw where the application fails to enforce proper permission checks on sensitive operations. In the context of the QuanticaLabs Cost Calculator WordPress plugin (CPE matches wp:quanticalabs:cost-calculator:*:*), the plugin likely exposes calculator endpoints or administrative functions without verifying user roles or permissions before allowing execution. This is a common pattern in WordPress plugin development where REST API endpoints or AJAX handlers are inadvertently left unprotected by missing capability checks (e.g., omitting current_user_can() checks in PHP).
Affected ProductsAI
QuanticaLabs Cost Calculator WordPress plugin version 7.4 and earlier are affected. The plugin is available on WordPress.org and is tracked as wp:quanticalabs:cost-calculator. According to the Patchstack vulnerability database, the affected version range is from initial release through version 7.4 inclusive.
RemediationAI
Update QuanticaLabs Cost Calculator to the latest patched version released after 7.4 (exact version number not specified in available advisory data; check WordPress.org plugin page or Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ql-cost-calculator/vulnerability/wordpress-cost-calculator-plugin-7-4-broken-access-control-vulnerability for the minimum safe version). If automatic update is unavailable, manually verify that your plugin version is greater than 7.4. As a temporary workaround pending patch application, restrict plugin functionality via WordPress role management or disable the plugin if not actively required.
Share
External POC / Exploit Code
Leaving vuln.today