{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3595", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-05T13:20:03.607Z", "datePublished": "2026-04-16T05:29:52.794Z", "dateUpdated": "2026-04-16T05:29:52.794Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T05:29:52.794Z"}, "affected": [{"vendor": "imprintnext", "product": "Riaxe Product Customizer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/delete_customer without a permission_callback, causing WordPress to default to allowing unauthenticated access, and the inkxe_delete_customer() callback function taking an array of user IDs from the request body and passing each one directly to wp_delete_user() without any authentication or authorization checks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress user accounts, including administrator accounts, leading to complete site lockout and data loss."}], "title": "Riaxe Product Customizer <= 2.1.2 - Unauthenticated Arbitrary User Deletion via 'user_id' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59da92e2-9ea0-4566-ae4d-3d5d91d0e42e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/trunk/riaxe-product-designer.php#L4271"}, {"url": "https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/tags/2.1.2/riaxe-product-designer.php#L4271"}, {"url": "https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/trunk/riaxe-product-designer.php#L2993"}, {"url": "https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/tags/2.1.2/riaxe-product-designer.php#L2993"}, {"url": "https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/trunk/riaxe-product-designer.php#L3150"}, {"url": "https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/tags/2.1.2/riaxe-product-designer.php#L3150"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kai Aizen"}], "timeline": [{"time": "2026-04-15T16:45:25.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/delete_customer without a permission_callback, causing WordPress to default to allowing unauthenticated access, and the inkxe_delete_customer() callback function taking an array of user IDs from the request body and passing each one directly to wp_delete_user() without any authentication or authorization checks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress user accounts, including administrator accounts, leading to complete site lockout and data loss."}], "id": "CVE-2026-3595", "lastModified": "2026-04-16T06:16:14.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-16T06:16:14.550", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/tags/2.1.2/riaxe-product-designer.php#L2993"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/tags/2.1.2/riaxe-product-designer.php#L3150"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/tags/2.1.2/riaxe-product-designer.php#L4271"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/trunk/riaxe-product-designer.php#L2993"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/trunk/riaxe-product-designer.php#L3150"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/trunk/riaxe-product-designer.php#L4271"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59da92e2-9ea0-4566-ae4d-3d5d91d0e42e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Riaxe Product Customizer", "source": "cna", "vendor": "imprintnext"}, "product": "riaxe_product_customizer", "vendor": "imprintnext"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T08:56:02.334852+00:00", "value": {"mitigation_remediation": ["Update Riaxe Product Customizer to the latest patched version that implements a proper permission_callback for the delete_customer route.", "If an update is unavailable, disable the plugin or remove the delete_customer endpoint by adding a code snippet that unregisters the REST route or overrides the callback with a no\u2011op function.", "Restrict access to the /wp-json/InkXEProductDesignerLite/customer/delete_customer route by configuring a firewall rule or a security plugin to allow requests only from trusted administrators.", "Monitor site logs for unexpected delete_user actions and promptly remediate any unauthorized activity."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized deletion of WordPress user accounts leading to site lockout"}, "threat_synthesis": {"affected_systems": "All WordPress installations that have imprintnext Riaxe Product Customizer version 2.1.2 or earlier installed are affected. The vulnerability exists in the plugin code itself; any site that relies on this plugin for product customization is at risk.", "description_and_impact": "The Riaxe Product Customizer plugin registers a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/delete_customer without a permission_callback. This default to unauthenticated access. The callback accepts an array of user IDs, then passes each directly to wp_delete_user(), allowing an attacker to delete any WordPress user, including administrators, without authentication. The result can be complete site lockout and data loss.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity risk. EPSS data is not available and the vulnerability has not been listed in CISA\u2019s KEV catalog, suggesting no current widespread exploitation. The attack vector is deduced to be an unauthenticated HTTP POST request to the exposed REST endpoint; no credentials or privilege escalation are required for exploitation."}}}}, "created": "2026-04-16T09:00:05.292306+00:00", "updated": "2026-04-16T09:11:50.262892+00:00", "vendors": ["imprintnext", "imprintnext$PRODUCT$riaxe_product_customizer", "wordpress", "wordpress$PRODUCT$wordpress"]}