Description
Missing Authorization vulnerability in Anzar Ahmed Ni WooCommerce Cost Of Goods ni-woocommerce-cost-of-goods allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ni WooCommerce Cost Of Goods: from n/a through <= 3.2.8.
Published: 2025-04-01
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in the Anzar Ahmed Ni WooCommerce Cost Of Goods plugin allows an attacker to access or modify cost‑of‑goods settings that are normally restricted to privileged users. This flaw can lead to unauthorized changes in product pricing, affecting the integrity of sales data and potentially resulting in financial loss or inventory mismanagement. The weakness is classified as CWE‑862 (Missing Authorization).

Affected Systems

WordPress sites that have installed the Ni WooCommerce Cost Of Goods plugin version 3.2.8 or earlier. The plugin is maintained by Anzar Ahmed and offers cost management features for WooCommerce stores.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability has not been listed in the CISA KEV catalog. Based on the description, the likely attack vector is that an unauthenticated or minimally privileged user can interact with plugin endpoints that should require higher privileges, enabling them to modify cost data. No specific exploits have been reported, and no official patch or workaround is provided by the vendor at this time.

Generated by OpenCVE AI on May 1, 2026 at 02:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ni WooCommerce Cost Of Goods plugin to the latest available version that addresses the access‑control issue.
  • If an update is not available, disable or remove the plugin until a fix is released.
  • Review WordPress user roles to ensure that only administrators or trusted users retain permissions to manage cost‑of‑goods settings and monitor access logs for suspicious activity.

Generated by OpenCVE AI on May 1, 2026 at 02:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9205 Missing Authorization vulnerability in Anzar Ahmed Ni WooCommerce Cost Of Goods allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ni WooCommerce Cost Of Goods: from n/a through 3.2.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Anzar Ahmed Ni WooCommerce Cost Of Goods allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ni WooCommerce Cost Of Goods: from n/a through 3.2.8. Missing Authorization vulnerability in Anzar Ahmed Ni WooCommerce Cost Of Goods ni-woocommerce-cost-of-goods allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ni WooCommerce Cost Of Goods: from n/a through <= 3.2.8.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Tue, 01 Apr 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Anzar Ahmed Ni WooCommerce Cost Of Goods allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ni WooCommerce Cost Of Goods: from n/a through 3.2.8.
Title WordPress Ni WooCommerce Cost Of Goods plugin <= 3.2.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:13.679Z

Reserved: 2025-04-01T13:20:32.606Z

Link: CVE-2025-31826

cve-icon Vulnrichment

Updated: 2025-04-01T18:00:07.060Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:22.727

Modified: 2026-04-23T15:28:22.117

Link: CVE-2025-31826

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:15:06Z

Weaknesses