cbcvebase.

Imprintnext Riaxe Product Customizer vulnerabilities

4 known vulnerabilities affecting imprintnext/riaxe_product_customizer.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2026-3596P2CRITICALCVSS 9.8≤ 2.1.22026-04-16
CVE-2026-3596 [CRITICAL] CWE-862 CVE-2026-3596: The Riaxe Product Customizer plugin for WordPress is vulnerable to Privilege Escalation in all versi The Riaxe Product Customizer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.2. The plugin registers an unauthenticated AJAX action ('wp_ajax_nopriv_install-imprint') that maps to the ink_pd_add_option() function. This function reads 'option' and 'opt_value' from $_POST, then calls delete_option()
nvd
CVE-2026-3599P3HIGHCVSS 7.5≤ 2.1.22026-04-16
CVE-2026-3599 [HIGH] CWE-89 CVE-2026-3599: The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' p The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied parameter and insufficient preparation on
nvd
CVE-2026-3595P3MEDIUMCVSS 5.3≤ 2.1.22026-04-16
CVE-2026-3595 [MEDIUM] CWE-862 CVE-2026-3595: The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versi The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/delete_customer without a permission_callback, causing WordPress to default to allowing unauthenticated access, an
nvd
CVE-2026-3594P4MEDIUMCVSS 5.3≤ 2.42026-04-08
CVE-2026-3594 [MEDIUM] CWE-200 CVE-2026-3594: The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint. The endpoint is registered with 'permission_callback' set to '__return_true', meaning no authentication or authorization checks are performed.
nvd
Imprintnext Riaxe Product Customizer vulnerabilities | cvebase