Arbitrary File Manipulation in Customer Area Plugin for WordPress
CVE-2026-3464

8.8HIGH

Key Information:

Vendor: WordPress
Status: WP Customer Area
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-3464?

The WP Customer Area plugin for WordPress is affected by a vulnerability that allows authenticated users, provided they have the necessary permissions, to read and delete files on the server. This is due to inadequate file path validation in the 'ajax_attach_file' function. Such access could expose confidential data contained in server files or lead to significant risks if critical files, such as wp-config.php, are deleted. Overall, this flaw raises serious security concerns for WordPress sites using this plugin, making it essential for administrators to update to safer versions to mitigate the risk.

Affected Version(s)

WP Customer Area 0 <= 8.3.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3507868/cust...

https://plugins.trac.wordpress.org/browser/customer-area/...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Mar 3, 2026

Credit

Angus Girvan

CVE-2026-3464 Data

JSON