Description
The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 1.6.3. This is due to the action() function in the TemplateData class passing user-supplied input from the 'emailkit-editor-template' REST API parameter directly to file_get_contents() without any path validation, sanitization, or restriction to an allowed directory. This makes it possible for authenticated attackers, with Administrator-level access, to read arbitrary files on the server (such as /etc/passwd or wp-config.php) by supplying a traversal path. The file contents are stored as post meta and can subsequently be retrieved via the fetch-data REST API endpoint. Notably, the CheckForm class in the same plugin implements proper path validation using realpath() and directory restriction, demonstrating that the developer was aware of the risk but failed to apply the same protections to the TemplateData endpoint.
Published: 2026-03-20
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Immediate Patch
AI Analysis

Impact

The EmailKit – Email Customizer for WooCommerce & WP plugin contains a path traversal flaw in the TemplateData endpoint. The action() function accepts the 'emailkit-editor-template' REST API parameter and passes it directly to file_get_contents() without validating or restricting the path. An authenticated user with Administrator privileges can supply a traversal string to read any file viewable by the web server, such as /etc/passwd or wp‑config.php, and the contents are stored as post meta for later retrieval. This results in a confidentiality breach of arbitrary files on the server, and it is identified by CWE‑22.

Affected Systems

The vulnerability affects the EmailKit plugin from roxnor, used with WooCommerce and WordPress. All releases up to and including 1.6.3 are impacted, while newer releases are presumed fixed.

Risk and Exploitability

With a CVSS score of 4.9, the severity is moderate. No EPSS score is available and the flaw is not listed in the CISA KEV catalog, suggesting no known public exploitation yet. Attack requires authenticated access to the REST API endpoint and an Administrator role, making the exploit more constrained compared to unauthenticated attacks. Nonetheless, the ability to read arbitrary files poses significant risk to confidentiality in compromised sites.

Generated by OpenCVE AI on March 21, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update EmailKit to the latest available version (≥ 1.6.4).
  • Verify that only legitimate administrators have access to the REST API endpoints and consider disabling the editor‑template route if it is not needed.
  • If an update cannot be applied immediately, block the vulnerable endpoint using web server access controls or a firewall rule.
  • Conduct a review of other plugins that expose REST API routes to ensure they validate all path inputs.

Generated by OpenCVE AI on March 21, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Roxnor
Roxnor emailkit – Email Customizer For Woocommerce & Wp
Wordpress
Wordpress wordpress
Vendors & Products Roxnor
Roxnor emailkit – Email Customizer For Woocommerce & Wp
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 1.6.3. This is due to the action() function in the TemplateData class passing user-supplied input from the 'emailkit-editor-template' REST API parameter directly to file_get_contents() without any path validation, sanitization, or restriction to an allowed directory. This makes it possible for authenticated attackers, with Administrator-level access, to read arbitrary files on the server (such as /etc/passwd or wp-config.php) by supplying a traversal path. The file contents are stored as post meta and can subsequently be retrieved via the fetch-data REST API endpoint. Notably, the CheckForm class in the same plugin implements proper path validation using realpath() and directory restriction, demonstrating that the developer was aware of the risk but failed to apply the same protections to the TemplateData endpoint.
Title EmailKit <= 1.6.3 - Authenticated (Administrator+) Path Traversal via 'emailkit-editor-template' REST API Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Roxnor Emailkit – Email Customizer For Woocommerce & Wp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:56.219Z

Reserved: 2026-03-03T13:02:05.586Z

Link: CVE-2026-3474

cve-icon Vulnrichment

Updated: 2026-03-23T16:41:31.782Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T00:16:28.207

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-3474

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:34Z

Weaknesses