External risk intelligence

WordPress plugin allows attackers to take full control of your site

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-3596

The WordPress Riaxe Product Customizer plugin has a critical flaw allowing anyone to take full control of your website without needing a password, potentially impacting business operations.

4Halo Surface Signal

Privilege Escalation

External exposure likelihood

Halo Surface Signal score for CVE-2026-3596

This vulnerability affects a WordPress plugin, which extends a web application. WordPress sites are typically deployed as public-facing web services accessible over the internet. The vulnerable AJAX endpoint is exposed via standard HTTP traffic, making the attack surface reachable for any internet-facing installation of the affected plugin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An unauthenticated vulnerability in the WordPress Riaxe Product Customizer plugin allows unauthorized users to modify critical site settings. This can lead to an attacker gaining administrative privileges on the affected website.

  • Attackers can take full control.
  • Any internet-connected site using the plugin is at risk.
  • This could impact business operations and data.

Attack Path

How an attacker could exploit the issue

Unauthenticated attackers can exploit this flaw by sending specially crafted AJAX requests to a WordPress site. The vulnerable plugin's `install-imprint` AJAX action allows an attacker to directly manipulate WordPress options without checks. This can be used to elevate their privileges to administrator, gaining full control of the website.

  • Unauthenticated access is sufficient.
  • AJAX action `wp_ajax_nopriv_install-imprint`.
  • Target: Modify WordPress options.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in the Riaxe Product Customizer plugin allows unauthenticated attackers to update arbitrary WordPress options, leading to privilege escalation. The lack of authentication, capability checks, or option name validation on the `ink_pd_add_option()` function makes exploitation straightforward. Attackers could leverage this to enable user registration and assign administrator privileges to any user, gaining full control of a WordPress site.

  • Unauthenticated remote code execution path.
  • No public exploits observed.
  • Plugin actively used by many WordPress sites.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Given this is a critical, unauthenticated privilege escalation vulnerability in the Riaxe Product Customizer plugin, prioritize isolating or taking offline all affected WordPress instances. Monitor for signs of unauthorized option changes or user role modifications, as attackers can exploit this to gain administrator access. If immediate downtime is not feasible, implement strict firewall rules to block access to the vulnerable AJAX endpoint and consider disabling the plugin temporarily.

  • Block unauthenticated AJAX requests.
  • Isolate affected WordPress instances.
  • Update plugin to version 2.1.3 or later.

Frequently asked questions

What is the Riaxe Product Customizer plugin for WordPress and what is its vulnerability?

The Riaxe Product Customizer is a WordPress plugin that enables users to customize products on their websites. Versions up to and including 2.1.2 contain a privilege escalation vulnerability where unauthenticated attackers can update arbitrary WordPress options. This can be exploited to grant administrative privileges.

How does CVE-2026-3596 allow privilege escalation?

CVE-2026-3596 is a missing authorization vulnerability. An unauthenticated attacker can exploit the `wp_ajax_nopriv_install-imprint` AJAX action, which calls the `ink_pd_add_option()` function. This function allows modification of WordPress options using attacker-controlled values without any security checks, enabling privilege escalation.

What is the weakness class for CVE-2026-3596 and how is it triggered?

The weakness class is CWE-862 (Missing Authorization). The vulnerability is triggered by sending specially crafted AJAX requests to the `wp_ajax_nopriv_install-imprint` action, which is not properly secured against unauthenticated access.

What is the relevance of CVE-2026-3596 for external threats?

CVE-2026-3596 is classified as an external threat because its attack vector is over the network (CVSS:3.1/AV:N). Any internet-facing WordPress site using the affected plugin is potentially at risk from unauthenticated attackers.

What are the recommended operational fixes for this vulnerability?

To mitigate CVE-2026-3596, prioritize isolating or taking affected WordPress instances offline. Monitor for unauthorized option changes or user role modifications. If downtime is not feasible, block unauthenticated AJAX requests to the vulnerable endpoint, implement strict firewall rules, and consider temporarily disabling the plugin until it can be updated to version 2.1.3 or later.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified