CVE-2026-3474
Path Traversal in EmailKit Plugin Allows Arbitrary File Read
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_emailkit | email_customizer | to 1.6.3 (inc) |
| wordfence | emailkit | to 1.6.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3474 is a path traversal vulnerability in the EmailKit β Email Customizer for WooCommerce & WP plugin for WordPress, affecting all versions up to and including 1.6.3.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the plugin's TemplateData class uses the 'emailkit-editor-template' REST API parameter directly as a file path in a file reading function without validating or sanitizing it. This allows an authenticated attacker with Administrator-level access to supply a crafted path that traverses directories and reads arbitrary files on the server, such as sensitive configuration files."}, {'type': 'paragraph', 'content': 'The plugin stores the contents of these files as post metadata, which can then be retrieved via another REST API endpoint, enabling unauthorized access to sensitive server files.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 1.6.4 by adding strict path validation that restricts file access to a designated template directory, preventing traversal outside this directory.'}] [2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator privileges on a WordPress site using the vulnerable EmailKit plugin to read arbitrary files on the server.
Such unauthorized file access can expose sensitive information like server configuration files (e.g., wp-config.php), user data, or system files (e.g., /etc/passwd), potentially leading to further exploitation or data breaches.
Because the attacker must have administrator-level access, the risk is primarily from compromised or malicious administrators or attackers who have escalated privileges.
The vulnerability does not allow code execution or modification of files directly but can leak confidential data, which can be leveraged for additional attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves the EmailKit WordPress plugin's REST API endpoint 'emailkit/v1/template-data' accepting a parameter 'emailkit-editor-template' that can be exploited for arbitrary file read via path traversal by authenticated users with Administrator-level access."}, {'type': 'paragraph', 'content': "To detect exploitation attempts or presence of this vulnerability on your system, you can monitor REST API requests targeting the 'emailkit/v1/template-data' endpoint, especially those containing the 'emailkit-editor-template' parameter with suspicious path traversal patterns such as '../' sequences."}, {'type': 'paragraph', 'content': 'Example commands to detect such activity in web server logs (assuming Apache or Nginx logs):'}, {'type': 'list_item', 'content': "grep -i 'emailkit/v1/template-data' /var/log/apache2/access.log | grep -E 'emailkit-editor-template=.*\\.\\.\\/|emailkit-editor-template=.*%2e%2e%2f'"}, {'type': 'list_item', 'content': "grep 'emailkit/v1/template-data' /var/log/nginx/access.log | grep -i 'emailkit-editor-template'"}, {'type': 'paragraph', 'content': 'Additionally, you can use WordPress CLI or custom scripts to check the plugin version installed (should be at least 1.6.4 to be patched) and audit user activity for suspicious REST API calls.'}] [2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The primary mitigation step is to update the EmailKit β Email Customizer for WooCommerce & WP plugin to version 1.6.4 or later, where the vulnerability has been fixed by implementing strict path validation and directory restrictions on the 'emailkit-editor-template' REST API parameter."}, {'type': 'paragraph', 'content': 'If immediate update is not possible, consider the following temporary mitigations:'}, {'type': 'list_item', 'content': "Restrict access to the REST API endpoint 'emailkit/v1/template-data' to trusted administrator IP addresses or block it entirely if not in use."}, {'type': 'list_item', 'content': 'Ensure that only trusted users have Administrator-level access to the WordPress site, as exploitation requires such privileges.'}, {'type': 'list_item', 'content': 'Monitor logs for suspicious requests to the vulnerable endpoint and respond accordingly.'}, {'type': 'paragraph', 'content': "Long term, verify that the plugin's permission callbacks and nonce verification are functioning correctly to prevent unauthorized access."}] [2, 4]