CVE-2026-3599
published 2026-04-16CVE-2026-3599: The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the…
PriorityP353high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.49%
38.4th percentile
The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied parameter and insufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| imprintnext | riaxe_product_customizer | <= 2.1.2 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8m7q-ggj7-m3wx: The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-jso
ghsa_unreviewed·2026-04-16
CVE-2026-3599 [HIGH] CWE-89 GHSA-8m7q-ggj7-m3wx: The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-jso
The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied parameter and insufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
VulDB
imprintnext Riaxe Product Customizer Plugin up to 2.1.2 on WordPress REST API Endpoint add-item-to-cart product_data options sql injection
vuldb·2026-04-16·CVSS 7.5
CVE-2026-3599 [HIGH] imprintnext Riaxe Product Customizer Plugin up to 2.1.2 on WordPress REST API Endpoint add-item-to-cart product_data options sql injection
A vulnerability was found in imprintnext Riaxe Product Customizer Plugin up to 2.1.2 on WordPress. It has been rated as critical. This issue affects the function product_data of the file /wp-json/InkXEProductDesignerLite/add-item-to-cart of the component REST API Endpoint. This manipulation of the argument options causes sql injection.
The identification of this vulnerability is CVE-2026-3599. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/tags/2.1.2/riaxe-product-designer.php#L3576https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/tags/2.1.2/riaxe-product-designer.php#L6808https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/tags/2.1.2/riaxe-product-designer.php#L6876https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/trunk/riaxe-product-designer.php#L3576https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/trunk/riaxe-product-designer.php#L6808https://plugins.trac.wordpress.org/browser/riaxe-product-customizer/trunk/riaxe-product-designer.php#L6876https://www.wordfence.com/threat-intel/vulnerabilities/id/a36c9a7e-830d-4a92-a330-29279387b3be?source=cve
2026-04-16
Published