CVE-2026-39704 Overview
CVE-2026-39704 is a Missing Authorization vulnerability [CWE-862] in the nfusionsolutions Precious Metals Automated Product Pricing – Pro WordPress plugin. The flaw affects all versions up to and including 4.0.5. The plugin fails to enforce correct access control checks, allowing unauthenticated attackers to interact with functionality intended for privileged users. Successful exploitation results in low-impact integrity violations on affected WordPress sites.
Critical Impact
Unauthenticated network attackers can abuse incorrectly configured access control levels to modify plugin-controlled data without user interaction.
Affected Products
- nfusionsolutions Precious Metals Automated Product Pricing – Pro plugin for WordPress
- All versions from initial release through 4.0.5
- WordPress sites using the precious-metals-automated-product-pricing-pro plugin
Discovery Timeline
- 2026-04-08 - CVE-2026-39704 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-39704
Vulnerability Analysis
The vulnerability stems from missing authorization checks within the Precious Metals Automated Product Pricing – Pro plugin. The plugin exposes functionality that should be restricted to authenticated administrative roles but does not enforce capability validation before processing requests. Attackers can reach the affected handlers directly over the network without authentication or user interaction.
The CWE-862 classification confirms the root issue: the plugin omits permission checks before executing sensitive actions. This pattern is common in WordPress plugins that register AJAX or REST endpoints without applying current_user_can() or nonce verification consistently. The impact is limited to integrity, with no direct confidentiality loss or availability disruption reported.
Root Cause
The plugin contains action handlers that lack proper capability and nonce verification. Access control security levels are incorrectly configured, allowing requests from low-privilege or unauthenticated contexts to invoke functionality reserved for administrators. The trust boundary between public requests and privileged plugin operations is not enforced.
Attack Vector
An unauthenticated attacker sends crafted HTTP requests to the WordPress site hosting the vulnerable plugin. Because no privileges or user interaction are required, the attack can be launched remotely against any exposed WordPress instance. The attacker triggers plugin endpoints that modify configuration or data values, producing limited integrity impact on the targeted site.
No public proof-of-concept exploit code is referenced for this CVE. The Patchstack advisory documents the broken access control behavior without releasing exploitation details.
Detection Methods for CVE-2026-39704
Indicators of Compromise
- Unexpected HTTP POST requests to admin-ajax.php or plugin REST routes containing precious-metals-automated-product-pricing-pro action parameters from unauthenticated sessions.
- Modifications to plugin pricing or configuration values without a corresponding administrator login event in WordPress audit logs.
- Requests to plugin endpoints originating from IP addresses not associated with site administrators.
Detection Strategies
- Monitor web server access logs for repeated requests targeting plugin action handlers without preceding authentication cookies.
- Deploy a WordPress audit logging plugin to correlate plugin setting changes with authenticated administrative sessions.
- Inspect WAF logs for parameter patterns referencing the precious-metals-automated-product-pricing-pro plugin slug from anonymous sources.
Monitoring Recommendations
- Alert on changes to plugin options stored in the wp_options table that occur outside of administrator activity windows.
- Track HTTP 200 responses to plugin AJAX endpoints from requests lacking valid nonces.
- Review WordPress activity logs daily for unexpected pricing data modifications.
How to Mitigate CVE-2026-39704
Immediate Actions Required
- Update the Precious Metals Automated Product Pricing – Pro plugin to a version newer than 4.0.5 once the vendor publishes a fix.
- Restrict access to admin-ajax.php and plugin REST endpoints using a Web Application Firewall while a patch is pending.
- Audit plugin configuration and pricing data for unauthorized changes since deployment of version 4.0.5 or earlier.
Patch Information
Refer to the Patchstack Vulnerability Report for vendor patch status and remediation guidance. At the time of NVD publication, fixed versions are not enumerated in the advisory metadata.
Workarounds
- Disable the Precious Metals Automated Product Pricing – Pro plugin until a patched release is available.
- Apply WAF rules that block unauthenticated requests to plugin action handlers and require a valid WordPress authentication cookie.
- Limit administrative endpoint access by source IP to known administrator networks where feasible.
# Example WAF rule pattern to block unauthenticated access to plugin actions
# (adapt to your WAF syntax)
SecRule REQUEST_URI "@contains admin-ajax.php" \
"chain,deny,status:403,id:1039704,msg:'Block unauth access to precious-metals plugin'"
SecRule ARGS:action "@rx precious[-_]metals[-_]automated[-_]product[-_]pricing" \
"chain"
SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
