Description
Custom role Path Traversal in WP Customer Area <= 8.3.4 versions.
Published: 2026-06-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the WP Customer Area plugin allows a custom role to supply a file path that is not properly sanitized. This omission enables the attacker to traverse directories and read any file located on the server, which can lead to exposure of sensitive data such as configuration files, credentials, or private documents. The weakness is classified as CWE-35, representing a classic path traversal flaw that can be exploited through the plugin’s file handling interface.

Affected Systems

All WordPress sites that use the WP Customer Area plugin from Aguilatechnologies with a version equal to or less than 8.3.4 are affected. The plugin is commonly integrated into sites that require restricted access management for users and is widely used across e-commerce, membership, and business intranet sites.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, and the EPSS score of less than 1% suggests that large scale exploitation is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is the web interface that accepts file paths from authenticated custom role users, meaning an attacker would need to create or gain access to such a role. Once enabled, the attacker could retrieve arbitrary files, potentially compromising confidentiality and the integrity of sensitive data. Because the flaw resides in a plugin that can be updated, the risk can be mitigated by applying the official fix.

Generated by OpenCVE AI on June 16, 2026 at 20:30 UTC.

Remediation

Vendor Solution

Update the WordPress WP Customer Area Plugin to the latest available version (at least 8.3.5).

OpenCVE Recommended Actions

  • Update the WP Customer Area plugin to version 8.3.5 or newer.
  • Remove the plugin from all WordPress installations that do not require its functionality.
  • If immediate removal is not possible, restrict the permissions of the custom role that can trigger the vulnerable file path handling to the minimal set required for the site’s operation.

Generated by OpenCVE AI on June 16, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Aguilatechnologies
Aguilatechnologies wp Customer Area
Wordpress
Wordpress wordpress
Vendors & Products Aguilatechnologies
Aguilatechnologies wp Customer Area
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Custom role Path Traversal in WP Customer Area <= 8.3.4 versions.
Title WordPress WP Customer Area plugin <= 8.3.4 - Path Traversal vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Aguilatechnologies Wp Customer Area
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T13:35:57.479Z

Reserved: 2026-04-29T09:04:47.837Z

Link: CVE-2026-42661

cve-icon Vulnrichment

Updated: 2026-06-16T13:35:52.823Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:55.813

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-42661

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:45:02Z

Weaknesses
  • CWE-35

    Path Traversal: '.../...//'