CVE-2024-4787

Root

Cause

The Cost Calculator Builder PRO plugin for WordPress, in versions up to and including 3.1.75, fails to properly restrict the email recipient and content in the send_pdf and send_pdf_front functions. These functions are reachable via AJAX, meaning they can be triggered from the front end without authentication [1].

Exploitation

An unauthenticated attacker can craft an AJAX request to these functions, specifying any email address as the recipient and any arbitrary content (including HTML) as the email body. No authentication or prior interaction from a site administrator is required, making the attack surface broad [1].

Impact

Successful exploitation allows the attacker to abuse the server's email delivery capabilities to send unsolicited emails from the victim WordPress site. This can be used for phishing, spam, or reputation damage, as the emails will appear to originate from a legitimate domain associated with the website [1].

Mitigation

The vulnerability has been addressed in version 3.1.76 of the plugin. Users are strongly advised to update to the latest version available, which includes proper input validation and limitations on email sending capabilities [1].