Sensitive Information Exposure in Riaxe Product Customizer Plugin for WordPress
CVE-2026-3594

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Riaxe Product Customizer
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-3594?

The Riaxe Product Customizer plugin for WordPress contains a vulnerability that allows unauthenticated attackers to access sensitive user data through an insecure REST API endpoint. This vulnerability affects all versions up to and including 2.4. The '/wp-json/InkXEProductDesignerLite/orders' endpoint is improperly configured with a permission callback that allows unrestricted access, leading to the exposure of sensitive customer information such as names, IDs, order totals, and statuses. Website owners utilizing this plugin should take immediate action to secure their systems.

Affected Version(s)

Riaxe Product Customizer 0 <= 2.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/riaxe-product-...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 5, 2026

Credit

Kai Aizen

CVE-2026-3594 Data

JSON