Description
The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajax_attach_file' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers with a role that an administrator grants access to (e.g., Subscriber) to to read the contents of arbitrary files on the server, which can contain sensitive information, or delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2026-04-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read and Deletion
Action: Patch Now
AI Analysis

Impact

The vulnerability stems from insufficient file path validation in the ajax_attach_file function of the WP Customer Area plugin, allowing an authenticated user with a role granted by an administrator (e.g., Subscriber) to request arbitrary file paths. An attacker can read any file on the server, including sensitive configuration files, or delete files, which could lead to remote code execution if critical files such as wp-config.php are removed. This flaw impacts confidentiality by exposing file contents and integrity by permitting deletion, and can cause availability issues if essential files are destroyed.

Affected Systems

The affected product is the WP Customer Area WordPress plugin from Aguilatechnologies. All releases up to and including version 8.3.4 are vulnerable. Users with Subscriber or higher roles who have been granted permission to access the file attachment functionality can exploit the flaw. No other vendors or plugins are mentioned.

Risk and Exploitability

The flaw has a CVSS score of 8.8, classifying it as high severity. The EPSS score is not available, and the vulnerability is not yet listed in CISA KEV, but the potential for exploitation remains significant. The likely attack vector is an authenticated AJAX request to the ajax_attach_file endpoint; attackers need only a legitimate credential with an authorized role, after which they can specify arbitrary file paths. Successful exploitation could result in data theft, unauthorized file deletion, or remote code execution if core WordPress files are removed.

Generated by OpenCVE AI on April 18, 2026 at 09:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Customer Area plugin to the latest patched release, or at least to a version higher than 8.3.4 that resolves the path validation issue.
  • Restrict the ajax_attach_file functionality to administrators only or remove the ability for Subscriber+ roles to invoke file attachment management by adjusting role capabilities in WordPress or using a security plugin restriction.
  • Strengthen server and file permissions: ensure the web server process has read/write permissions only on files that require it, and use .htaccess or web server rules to block direct read access to sensitive paths such as wp-config.php and other configuration files. Additionally, monitor file system events to detect unauthorized deletions.

Generated by OpenCVE AI on April 18, 2026 at 09:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Aguilatechnologies
Aguilatechnologies wp Customer Area
Wordpress
Wordpress wordpress
Vendors & Products Aguilatechnologies
Aguilatechnologies wp Customer Area
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajax_attach_file' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers with a role that an administrator grants access to (e.g., Subscriber) to to read the contents of arbitrary files on the server, which can contain sensitive information, or delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title WP Customer Area <= 8.3.4 - Authenticated (Subscriber+) Arbitrary File Read/Deletion via ajax_attach_file
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Aguilatechnologies Wp Customer Area
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-17T18:37:36.472Z

Reserved: 2026-03-03T06:21:33.680Z

Link: CVE-2026-3464

cve-icon Vulnrichment

Updated: 2026-04-17T18:36:33.287Z

cve-icon NVD

Status : Received

Published: 2026-04-17T17:17:07.217

Modified: 2026-04-17T17:17:07.217

Link: CVE-2026-3464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:15:15Z

Weaknesses