[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fM_RZbZyQ8FUvqy5pvqHYIrftRVxSiRPAvXEuSI-qY0c":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-39704","precious-metals-automated-product-pricing-pro-missing-authorization","Precious Metals Automated Product Pricing – Pro \u003C= 4.0.5 - Missing Authorization","The Precious Metals Automated Product Pricing – Pro plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.0.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.","precious-metals-automated-product-pricing-pro",null,"\u003C=4.0.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-01 00:00:00","2026-04-15 21:33:06",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7f6ecf14-669a-41a6-bacd-de64d497be50?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-39704 (Precious Metals Automated Product Pricing – Pro)\n\n## 1. Vulnerability Summary\nThe **Precious Metals Automated Product Pricing – Pro** plugin (up to 4.0.5) contains a missing authorization vulnerability. This flaw exists because specific AJAX or REST API endpoints do not implement capability checks (e.g., `current_user_can()`) or proper nonce verification before performing sensitive operations. Specifically, an unauthenticated attacker can likely trigger product price updates, modify plugin settings, or manipulate how precious metal spot prices are calculated\u002Fdisplayed.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Likely a WordPress AJAX handler (`\u002Fwp-admin\u002Fadmin-ajax.php`) or a REST API route (`\u002Fwp-json\u002F...`).\n*   **Action String (Inferred):** Given the plugin's purpose, the AJAX action is likely named something like `pm_save_settings`, `pm_update_prices`, `pm_refresh_spot_price`, or `update_metal_margins`.\n*   **Payload Parameters:** Likely contains settings fields (e.g., `pm_api_key`, `pm_margin_percentage`) or product IDs.\n*   **Authentication:** None required (unauthenticated). The vulnerability allows the execution of an action that should be restricted to administrators.\n*   **Preconditions:** The plugin must be active. If the vulnerable action is related to WooCommerce products, WooCommerce must also be active.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers an AJAX action using `add_action( 'wp_ajax_nopriv_{action_name}', ... )` or `add_action( 'wp_ajax_{action_name}', ... )`.\n2.  **Handler Entry:** When a request hits `admin-ajax.php` with the corresponding `action` parameter, the handler function is invoked.\n3.  **Missing Check:** Inside the handler, the code fails to call `current_user_can( 'manage_options' )`.\n4.  **Sensitive Sink:** The handler proceeds to call functions like `update_option()`, `update_post_meta()`, or `wp_update_post()` using data directly from `$_POST` or `$_REQUEST`.\n\n## 4. Nonce Acquisition Strategy\nIf the endpoint requires a nonce for CSRF protection (even if it lacks authorization), it must be obtained from the frontend or admin pages.\n\n1.  **Discovery:** Use `grep -r \"wp_create_nonce\" .` in the plugin directory to find the action string.\n2.  **Localization:** Look for `wp_localize_script` in the code to see where the nonce is exposed to the frontend.\n    *   *Inferred Variable:* `window.pm_ajax?.nonce` or `window.pm_vars?.nonce`.\n3.  **Shortcode Usage:** Identify if the plugin uses a shortcode (e.g., `[precious_metals_pricing]`) to display price charts.\n4.  **Extraction Steps:**\n    *   `wp post create --post_type=page --post_status=publish --post_content='[target_shortcode]'`\n    *   `browser_navigate(URL_OF_NEW_PAGE)`\n    *   `NONCE = browser_eval(\"window.IDENTIFIER?.nonce_key\")`\n\n## 5. Exploitation Strategy\nThis plan assumes the vulnerability allows modifying plugin settings via an AJAX action.\n\n1.  **Identify Vulnerable Action:** Search the plugin files for `wp_ajax_nopriv_`.\n    *   *Example Search:* `grep -rn \"wp_ajax_nopriv_\" .`\n2.  **Analyze Handler:** Check if the handler calls `update_option`.\n3.  **Craft Request:**\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** `POST`\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n    *   **Parameters:**\n        *   `action`: `{discovered_action}`\n        *   `_wpnonce`: `{extracted_nonce}` (if applicable)\n        *   `setting_name`: `pm_margin_multiplier` (example)\n        *   `value`: `500` (malicious value to inflate prices)\n4.  **Execute:** Use the `http_request` tool to send the payload.\n\n## 6. Test Data Setup\n1.  Install and activate the plugin: `wp plugin activate precious-metals-automated-product-pricing-pro`.\n2.  (Optional) Install WooCommerce if the plugin depends on it: `wp plugin activate woocommerce`.\n3.  Create a test product: `wp post create --post_type=product --post_title=\"Gold Bar\" --post_status=publish`.\n4.  Configure a base price if required by the plugin settings.\n\n## 7. Expected Results\n*   **Response:** The HTTP request should return a `200 OK` response, often with a JSON body like `{\"success\":true}` or `1`.\n*   **Database Change:** The WordPress option or post meta associated with the plugin should be updated to the attacker-supplied value.\n\n## 8. Verification Steps\n1.  **Check Options:** Use WP-CLI to verify if settings were changed:\n    *   `wp option get {plugin_setting_name}`\n2.  **Check Product Meta:** If the exploit targeted a specific product:\n    *   `wp post meta list {product_id}`\n3.  **Check Frontend:** Navigate to the product page or price chart page to see if the displayed price reflects the malicious manipulation.\n\n## 9. Alternative Approaches\n*   **Settings Injection:** If the plugin saves settings as an array, try injecting malicious keys into the `$_POST` array to overwrite arbitrary plugin configurations.\n*   **Unauthenticated Spot Price Refresh:** If the vulnerable function is `pm_refresh_prices`, an attacker might be able to DOS the site or the API by triggering thousands of simultaneous price update requests, potentially exhausting API quotas or server resources.\n*   **REST API Path:** If no AJAX actions are found, scan for `register_rest_route` and check for any route with `'permission_callback' => '__return_true'` that performs an `UPDATE` or `POST` operation.","The Precious Metals Automated Product Pricing – Pro plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check on sensitive functions in versions up to 4.0.5. This allows unauthenticated attackers to perform administrative actions, such as updating product prices or modifying plugin configuration, by targeting vulnerable AJAX or REST API endpoints.","1. Identify the target AJAX action by searching the plugin source for 'wp_ajax_nopriv_' registrations (e.g., actions intended for price updates or settings management).\n2. Determine if the handler function lacks both current_user_can('manage_options') and check_ajax_referer() calls.\n3. If a nonce is required for the request, extract it from the frontend by viewing the page source or inspecting localized script objects (e.g., window.pm_vars).\n4. Craft a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter and any relevant data payloads (e.g., 'pm_margin_percentage=500') to modify site behavior.\n5. Execute the request and verify that the plugin settings or product prices have been updated in the database.","gemini-3-flash-preview","2026-04-18 22:18:10","2026-04-18 22:18:25",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprecious-metals-automated-product-pricing-pro\u002Ftags"]