CVE-2025-31826: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in the Ni WooCommerce Cost Of Goods WordPress plugin, affecting versions up to 3.2.8. The vulnerability was identified on April 1, 2025, and was assigned CVE-2025-31826. The issue allows exploiting incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 base score of 5.4 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L, indicating that it requires network access and low privileges to exploit, with no user interaction needed. The impact primarily affects integrity and availability at a low level (Patchstack).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. While classified as low severity, it could potentially lead to unauthorized access to protected functionality (Patchstack).

The vulnerability has been fixed in version 3.2.9 of the Ni WooCommerce Cost Of Goods plugin. Users are advised to update to this version or later to remove the vulnerability. For users unable to update immediately, no specific workarounds have been provided (Patchstack).