CVE-2026-3595
Authorization Bypass in Riaxe Plugin Allows Arbitrary User Deletion
Publication date: 2026-04-16
Last updated on: 2026-04-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| riaxe | product_customizer | to 2.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to delete arbitrary WordPress user accounts, including administrator accounts, leading to complete site lockout and data loss.
Such unauthorized deletion of user accounts and potential data loss could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and access controls.
However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.
Can you explain this vulnerability to me?
The Riaxe Product Customizer plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 2.1.2. This occurs because the plugin registers a REST API route for deleting customers without a permission callback, which means WordPress allows unauthenticated access by default.
The vulnerability allows attackers to send a POST request to the endpoint /wp-json/InkXEProductDesignerLite/customer/delete_customer with an array of user IDs. The plugin then deletes those user accounts without checking if the requester is authorized.
As a result, unauthenticated attackers can delete arbitrary WordPress user accounts, including administrator accounts.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including the deletion of any WordPress user accounts, even administrator accounts, by unauthenticated attackers.
Such unauthorized deletions can lead to complete site lockout, preventing legitimate administrators from accessing the site.
Additionally, it can cause data loss related to the deleted user accounts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to the REST API endpoint /wp-json/InkXEProductDesignerLite/customer/delete_customer. Since the endpoint lacks permission checks, any such requests could indicate exploitation attempts.
You can use network monitoring tools or command-line utilities like curl to test if the endpoint is accessible without authentication.
- Example curl command to test the vulnerable endpoint: curl -X POST https://yourwordpresssite.com/wp-json/InkXEProductDesignerLite/customer/delete_customer -d '{"user_ids":[1]}' -H 'Content-Type: application/json'
- Use web server logs or intrusion detection systems to look for POST requests to this specific REST API route.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Riaxe Product Customizer plugin to a version later than 2.1.2 where the vulnerability is fixed.
If an update is not immediately available, restrict access to the vulnerable REST API endpoint by implementing authentication or blocking POST requests to /wp-json/InkXEProductDesignerLite/customer/delete_customer via web server rules or firewall.
Monitor your WordPress user accounts for any unauthorized deletions and restore any lost accounts from backups if necessary.