Skip to main content

Precious Metals Automated Product Pricing 8211 Pro EUVDEUVD-2026-20408

| CVE-2026-39704 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20408
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in nfusionsolutions Precious Metals Automated Product Pricing &#8211; Pro precious-metals-automated-product-pricing-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Precious Metals Automated Product Pricing &#8211; Pro: from n/a through <= 4.0.5.

AnalysisAI

Missing authorization in nfusionsolutions Precious Metals Automated Product Pricing Pro plugin (versions <= 4.0.5) allows unauthenticated remote attackers to access sensitive information through incorrectly configured access controls. The vulnerability affects WordPress installations using this e-commerce plugin and enables information disclosure with low CVSS severity (5.3), though exploitation requires no authentication and is automatable according to CISA SSVC assessment. No public exploit code or active exploitation has been confirmed.

Technical ContextAI

This vulnerability stems from CWE-862 (Missing Authorization), a class of flaw where the application fails to verify user permissions before granting access to restricted resources or functions. In WordPress plugins, this commonly manifests when REST API endpoints, admin AJAX handlers, or database queries are not properly gated with capability checks (such as wp_verify_nonce() and current_user_can()). The affected product is a WooCommerce or e-commerce plugin (precious-metals-automated-product-pricing-pro) that likely exposes pricing, inventory, or product configuration data through inadequately protected endpoints. The CPE identifier cpe:2.3:a:nfusionsolutions:precious_metals_automated_product_pricing_-_pro:*:*:*:*:*:*:*:* indicates the vendor is nfusionsolutions and the vulnerability affects all versions up to and including 4.0.5 across all deployment contexts.

RemediationAI

Upgrade to the patched version released by nfusionsolutions following version 4.0.5 (exact fixed version number not specified in available data, verify via vendor advisory at https://patchstack.com/database/Wordpress/Plugin/precious-metals-automated-product-pricing-pro/). If an immediate patch is unavailable, implement access control verification in WordPress configuration to restrict plugin functionality to authenticated users with appropriate capabilities, and audit any exposed endpoints for sensitive data leakage. Additionally, review WordPress site logs for unauthorized access attempts to pricing or configuration endpoints that may indicate exploitation attempts. Refer to the vendor advisory at Patchstack (https://patchstack.com/database/Wordpress/Plugin/precious-metals-automated-product-pricing-pro/vulnerability/wordpress-precious-metals-automated-product-pricing-pro-plugin-4-0-5-broken-access-control-vulnerability?_s_id=cve) for vendor-specific remediation guidance.

Share

EUVD-2026-20408 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy