Critical WordPress Plugin Flaw: Riaxe Product Customizer Privilege Escalation

/CRITICAL
SCW vulnerabilitycvecriticalhigh-severityprivilege-escalationcwe-862
Critical WordPress Plugin Flaw: Riaxe Product Customizer Privilege Escalation

The National Vulnerability Database (NVD) has flagged a critical privilege escalation vulnerability, CVE-2026-3596, impacting the Riaxe Product Customizer plugin for WordPress. This flaw affects all versions up to, and including, 2.1.2, earning a severe CVSS score of 9.8 (CRITICAL).

According to the NVD, the plugin registers an unauthenticated AJAX action, wp_ajax_nopriv_install-imprint, which maps directly to the ink_pd_add_option() function. The real kicker here is that this function reads option and opt_value directly from $_POST and then proceeds to call delete_option() followed by add_option() using these attacker-controlled values. Crucially, there’s no nonce verification, capability checks, or even a basic option name allowlist in place. This glaring oversight means an unauthenticated attacker can effectively update arbitrary WordPress options. The implications are dire: an attacker could enable user registration and then set the default user role to administrator, effectively handing over the keys to the kingdom.

Related ATT&CK Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation T1548.002 Setuid and Setgid Privilege Escalation T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

5 rules · 6 SIEM formats

5 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.

high T1068 Privilege Escalation

Privilege Escalation Attempt Detection

✓ Sigma 🔒 Splunk SPL 🔒 Sentinel KQL 🔒 Elastic 🔒 QRadar AQL 🔒 Wazuh

Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.

5 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get All SIEM Formats →

Indicators of Compromise

IDTypeIndicator
CVE-2026-3596 Privilege Escalation Riaxe Product Customizer plugin for WordPress versions <= 2.1.2
CVE-2026-3596 Privilege Escalation Unauthenticated AJAX action: 'wp_ajax_nopriv_install-imprint'
CVE-2026-3596 Privilege Escalation Vulnerable function: ink_pd_add_option() allowing arbitrary WordPress option updates
CVE-2026-3596 Privilege Escalation Lack of nonce verification, capability checks, or option name allowlist in ink_pd_add_option()

By Shimi's Cyber World Editorial

Related Posts

Rsync Vulnerability Exposes Users to Use-After-Free Flaw

CVE-2026-41035 — In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim...

vulnerabilityCVEhigh-severityuse-after-freecwe-130
/HIGH /⚑ 3 IOCs

CVE-2026-41034 — ONLYOFFICE DocumentServer before 9.3.0 has an untrusted

CVE-2026-41034 — ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and...

vulnerabilityCVEcwe-125
/MEDIUM /⚑ 2 IOCs

CVE-2026-41030 — In ONLYOFFICE DesktopEditors before 9.3.0, the update

CVE-2026-41030 — In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges.

vulnerabilityCVEcwe-669
/MEDIUM /⚑ 2 IOCs