Description
The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/delete_customer without a permission_callback, causing WordPress to default to allowing unauthenticated access, and the inkxe_delete_customer() callback function taking an array of user IDs from the request body and passing each one directly to wp_delete_user() without any authentication or authorization checks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress user accounts, including administrator accounts, leading to complete site lockout and data loss.
Published: 2026-04-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of WordPress user accounts leading to site lockout
Action: Immediate Patch
AI Analysis

Impact

The Riaxe Product Customizer plugin registers a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/delete_customer without a permission_callback. This default to unauthenticated access. The callback accepts an array of user IDs, then passes each directly to wp_delete_user(), allowing an attacker to delete any WordPress user, including administrators, without authentication. The result can be complete site lockout and data loss.

Affected Systems

All WordPress installations that have imprintnext Riaxe Product Customizer version 2.1.2 or earlier installed are affected. The vulnerability exists in the plugin code itself; any site that relies on this plugin for product customization is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity risk. EPSS data is not available and the vulnerability has not been listed in CISA’s KEV catalog, suggesting no current widespread exploitation. The attack vector is deduced to be an unauthenticated HTTP POST request to the exposed REST endpoint; no credentials or privilege escalation are required for exploitation.

Generated by OpenCVE AI on April 16, 2026 at 08:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Riaxe Product Customizer to the latest patched version that implements a proper permission_callback for the delete_customer route.
  • If an update is unavailable, disable the plugin or remove the delete_customer endpoint by adding a code snippet that unregisters the REST route or overrides the callback with a no‑op function.
  • Restrict access to the /wp-json/InkXEProductDesignerLite/customer/delete_customer route by configuring a firewall rule or a security plugin to allow requests only from trusted administrators.
  • Monitor site logs for unexpected delete_user actions and promptly remediate any unauthorized activity.

Generated by OpenCVE AI on April 16, 2026 at 08:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Imprintnext
Imprintnext riaxe Product Customizer
Wordpress
Wordpress wordpress
Vendors & Products Imprintnext
Imprintnext riaxe Product Customizer
Wordpress
Wordpress wordpress

Thu, 16 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Description The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/delete_customer without a permission_callback, causing WordPress to default to allowing unauthenticated access, and the inkxe_delete_customer() callback function taking an array of user IDs from the request body and passing each one directly to wp_delete_user() without any authentication or authorization checks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress user accounts, including administrator accounts, leading to complete site lockout and data loss.
Title Riaxe Product Customizer <= 2.1.2 - Unauthenticated Arbitrary User Deletion via 'user_id' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Imprintnext Riaxe Product Customizer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-16T12:04:31.317Z

Reserved: 2026-03-05T13:20:03.607Z

Link: CVE-2026-3595

cve-icon Vulnrichment

Updated: 2026-04-16T11:12:21.839Z

cve-icon NVD

Status : Received

Published: 2026-04-16T06:16:14.550

Modified: 2026-04-16T06:16:14.550

Link: CVE-2026-3595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:11:50Z

Weaknesses