WP-Safety
CVE-2026-39704

Precious Metals Automated Product Pricing – Pro <= 4.0.5 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Precious Metals Automated Product Pricing – Pro plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.0.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.0.5
PublishedMarch 1, 2026
Last updatedApril 15, 2026
Affected pluginprecious-metals-automated-product-pricing-pro
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-39704 (Precious Metals Automated Product Pricing – Pro) ## 1. Vulnerability Summary The **Precious Metals Automated Product Pricing – Pro** plugin (up to 4.0.5) contains a missing authorization vulnerability. This flaw exists because specific AJAX or REST API …

Show full research plan

Exploitation Research Plan: CVE-2026-39704 (Precious Metals Automated Product Pricing – Pro)

1. Vulnerability Summary

The Precious Metals Automated Product Pricing – Pro plugin (up to 4.0.5) contains a missing authorization vulnerability. This flaw exists because specific AJAX or REST API endpoints do not implement capability checks (e.g., current_user_can()) or proper nonce verification before performing sensitive operations. Specifically, an unauthenticated attacker can likely trigger product price updates, modify plugin settings, or manipulate how precious metal spot prices are calculated/displayed.

2. Attack Vector Analysis

  • Endpoint: Likely a WordPress AJAX handler (/wp-admin/admin-ajax.php) or a REST API route (/wp-json/...).
  • Action String (Inferred): Given the plugin's purpose, the AJAX action is likely named something like pm_save_settings, pm_update_prices, pm_refresh_spot_price, or update_metal_margins.
  • Payload Parameters: Likely contains settings fields (e.g., pm_api_key, pm_margin_percentage) or product IDs.
  • Authentication: None required (unauthenticated). The vulnerability allows the execution of an action that should be restricted to administrators.
  • Preconditions: The plugin must be active. If the vulnerable action is related to WooCommerce products, WooCommerce must also be active.

3. Code Flow (Inferred)

  1. Registration: The plugin registers an AJAX action using add_action( 'wp_ajax_nopriv_{action_name}', ... ) or add_action( 'wp_ajax_{action_name}', ... ).
  2. Handler Entry: When a request hits admin-ajax.php with the corresponding action parameter, the handler function is invoked.
  3. Missing Check: Inside the handler, the code fails to call current_user_can( 'manage_options' ).
  4. Sensitive Sink: The handler proceeds to call functions like update_option(), update_post_meta(), or wp_update_post() using data directly from $_POST or $_REQUEST.

4. Nonce Acquisition Strategy

If the endpoint requires a nonce for CSRF protection (even if it lacks authorization), it must be obtained from the frontend or admin pages.

  1. Discovery: Use grep -r "wp_create_nonce" . in the plugin directory to find the action string.
  2. Localization: Look for wp_localize_script in the code to see where the nonce is exposed to the frontend.
    • Inferred Variable: window.pm_ajax?.nonce or window.pm_vars?.nonce.
  3. Shortcode Usage: Identify if the plugin uses a shortcode (e.g., [precious_metals_pricing]) to display price charts.
  4. Extraction Steps:
    • wp post create --post_type=page --post_status=publish --post_content='[target_shortcode]'
    • browser_navigate(URL_OF_NEW_PAGE)
    • NONCE = browser_eval("window.IDENTIFIER?.nonce_key")

5. Exploitation Strategy

This plan assumes the vulnerability allows modifying plugin settings via an AJAX action.

  1. Identify Vulnerable Action: Search the plugin files for wp_ajax_nopriv_.
    • Example Search: grep -rn "wp_ajax_nopriv_" .
  2. Analyze Handler: Check if the handler calls update_option.
  3. Craft Request:
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Method: POST
    • Content-Type: application/x-www-form-urlencoded
    • Parameters:
      • action: {discovered_action}
      • _wpnonce: {extracted_nonce} (if applicable)
      • setting_name: pm_margin_multiplier (example)
      • value: 500 (malicious value to inflate prices)
  4. Execute: Use the http_request tool to send the payload.

6. Test Data Setup

  1. Install and activate the plugin: wp plugin activate precious-metals-automated-product-pricing-pro.
  2. (Optional) Install WooCommerce if the plugin depends on it: wp plugin activate woocommerce.
  3. Create a test product: wp post create --post_type=product --post_title="Gold Bar" --post_status=publish.
  4. Configure a base price if required by the plugin settings.

7. Expected Results

  • Response: The HTTP request should return a 200 OK response, often with a JSON body like {"success":true} or 1.
  • Database Change: The WordPress option or post meta associated with the plugin should be updated to the attacker-supplied value.

8. Verification Steps

  1. Check Options: Use WP-CLI to verify if settings were changed:
    • wp option get {plugin_setting_name}
  2. Check Product Meta: If the exploit targeted a specific product:
    • wp post meta list {product_id}
  3. Check Frontend: Navigate to the product page or price chart page to see if the displayed price reflects the malicious manipulation.

9. Alternative Approaches

  • Settings Injection: If the plugin saves settings as an array, try injecting malicious keys into the $_POST array to overwrite arbitrary plugin configurations.
  • Unauthenticated Spot Price Refresh: If the vulnerable function is pm_refresh_prices, an attacker might be able to DOS the site or the API by triggering thousands of simultaneous price update requests, potentially exhausting API quotas or server resources.
  • REST API Path: If no AJAX actions are found, scan for register_rest_route and check for any route with 'permission_callback' => '__return_true' that performs an UPDATE or POST operation.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Precious Metals Automated Product Pricing – Pro plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check on sensitive functions in versions up to 4.0.5. This allows unauthenticated attackers to perform administrative actions, such as updating product prices or modifying plugin configuration, by targeting vulnerable AJAX or REST API endpoints.

Exploit Outline

1. Identify the target AJAX action by searching the plugin source for 'wp_ajax_nopriv_' registrations (e.g., actions intended for price updates or settings management). 2. Determine if the handler function lacks both current_user_can('manage_options') and check_ajax_referer() calls. 3. If a nonce is required for the request, extract it from the frontend by viewing the page source or inspecting localized script objects (e.g., window.pm_vars). 4. Craft a POST request to /wp-admin/admin-ajax.php with the 'action' parameter and any relevant data payloads (e.g., 'pm_margin_percentage=500') to modify site behavior. 5. Execute the request and verify that the plugin settings or product prices have been updated in the database.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/7f6ecf14-669a-41a6-bacd-de64d497be50?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database