TROYANOSYVIRUS
Voltar para CVEs

CVE-2026-3594

MEDIUM
5.3

Descricao

The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint. The endpoint is registered with 'permission_callback' set to '__return_true', meaning no authentication or authorization checks are performed. The endpoint queries WooCommerce order data from the database and returns it to the requester, including customer first and last names, customer IDs, order IDs, order totals, order dates, currencies, and order statuses. This makes it possible for unauthenticated attackers to extract sensitive customer and order information from the WooCommerce store.

Detalhes CVE

Pontuacao CVSS v3.15.3
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado4/8/2026
Ultima modificacao4/8/2026
Fontenvd
Avistamentos honeypot0

Fraquezas (CWE)

CWE-200

Referencias

https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/tags/2.4/riaxe-product-designer.php#L1101(security@wordfence.com)
https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/tags/2.4/riaxe-product-designer.php#L2809(security@wordfence.com)
https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/tags/2.4/riaxe-product-designer.php#L2820(security@wordfence.com)
https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/tags/2.4/riaxe-product-designer.php#L986(security@wordfence.com)
https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/trunk/riaxe-product-designer.php#L1101(security@wordfence.com)
https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/trunk/riaxe-product-designer.php#L2809(security@wordfence.com)
https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/trunk/riaxe-product-designer.php#L2820(security@wordfence.com)
https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/trunk/riaxe-product-designer.php#L986(security@wordfence.com)
https://www.wordfence.com/threat-intel/vulnerabilities/id/2ffd6393-6604-48d9-ba22-7d989305e9ed?source=cve(security@wordfence.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.