CVE-2026-3594
Received Received - Intake
Sensitive Data Exposure in Riaxe Product Customizer WordPress Plugin

Publication date: 2026-04-08

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint. The endpoint is registered with 'permission_callback' set to '__return_true', meaning no authentication or authorization checks are performed. The endpoint queries WooCommerce order data from the database and returns it to the requester, including customer first and last names, customer IDs, order IDs, order totals, order dates, currencies, and order statuses. This makes it possible for unauthenticated attackers to extract sensitive customer and order information from the WooCommerce store.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3594
EUVD
EUVD-2026-20105
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
riaxe product_customizer to 2.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint to prevent unauthenticated access.

You should update the Riaxe Product Customizer plugin to a version later than 2.4 if available, or apply any patches provided by the vendor.

Additionally, consider implementing authentication and authorization checks on the endpoint to ensure only authorized users can access sensitive order data.

Executive Summary

The Riaxe Product Customizer plugin for WordPress has a vulnerability in its REST API endpoint '/wp-json/InkXEProductDesignerLite/orders'. This endpoint is accessible without any authentication or authorization checks because its permission callback is set to always allow access.

As a result, anyone can query this endpoint and retrieve sensitive information related to WooCommerce orders, including customer first and last names, customer IDs, order IDs, order totals, order dates, currencies, and order statuses.

Impact Analysis

This vulnerability allows unauthenticated attackers to access sensitive customer and order information from a WooCommerce store.

  • Exposure of personal customer data such as names and customer IDs.
  • Disclosure of order details including order IDs, totals, dates, currencies, and statuses.

Such exposure can lead to privacy violations, potential identity theft, and loss of customer trust.

Detection Guidance

This vulnerability can be detected by checking if the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint is accessible without authentication and returns WooCommerce order data including sensitive customer information.

You can use commands like curl to test the endpoint from your system or network. For example:

  • curl -X GET https://your-wordpress-site.com/wp-json/InkXEProductDesignerLite/orders

If the response contains customer first and last names, customer IDs, order IDs, order totals, order dates, currencies, or order statuses without requiring authentication, your system is vulnerable.

Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive customer and order information, including names, customer IDs, order details, and statuses, without any authentication or authorization checks.

Such exposure of personal and order data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personally identifiable information and sensitive data.

By allowing unauthorized access to customer data, the vulnerability increases the risk of data breaches and potential violations of privacy laws and standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3594. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart