Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in nfusionsolutions Precious Metals Automated Product Pricing – Pro precious-metals-automated-product-pricing-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Precious Metals Automated Product Pricing – Pro: from n/a through <= 4.0.5.
AnalysisAI
Missing authorization in nfusionsolutions Precious Metals Automated Product Pricing Pro plugin (versions <= 4.0.5) allows unauthenticated remote attackers to access sensitive information through incorrectly configured access controls. The vulnerability affects WordPress installations using this e-commerce plugin and enables information disclosure with low CVSS severity (5.3), though exploitation requires no authentication and is automatable according to CISA SSVC assessment. No public exploit code or active exploitation has been confirmed.
Technical ContextAI
This vulnerability stems from CWE-862 (Missing Authorization), a class of flaw where the application fails to verify user permissions before granting access to restricted resources or functions. In WordPress plugins, this commonly manifests when REST API endpoints, admin AJAX handlers, or database queries are not properly gated with capability checks (such as wp_verify_nonce() and current_user_can()). The affected product is a WooCommerce or e-commerce plugin (precious-metals-automated-product-pricing-pro) that likely exposes pricing, inventory, or product configuration data through inadequately protected endpoints. The CPE identifier cpe:2.3:a:nfusionsolutions:precious_metals_automated_product_pricing_-_pro:*:*:*:*:*:*:*:* indicates the vendor is nfusionsolutions and the vulnerability affects all versions up to and including 4.0.5 across all deployment contexts.
RemediationAI
Upgrade to the patched version released by nfusionsolutions following version 4.0.5 (exact fixed version number not specified in available data, verify via vendor advisory at https://patchstack.com/database/Wordpress/Plugin/precious-metals-automated-product-pricing-pro/). If an immediate patch is unavailable, implement access control verification in WordPress configuration to restrict plugin functionality to authenticated users with appropriate capabilities, and audit any exposed endpoints for sensitive data leakage. Additionally, review WordPress site logs for unauthorized access attempts to pricing or configuration endpoints that may indicate exploitation attempts. Refer to the vendor advisory at Patchstack (https://patchstack.com/database/Wordpress/Plugin/precious-metals-automated-product-pricing-pro/vulnerability/wordpress-precious-metals-automated-product-pricing-pro-plugin-4-0-5-broken-access-control-vulnerability?_s_id=cve) for vendor-specific remediation guidance.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20408