CVE-2026-3595

Name of the Vulnerable Software and Affected Versions Riaxe Product Customizer versions prior to 2.1.3

Description An authorization bypass exists due to the registration of a REST API route ''/wp-json/InkXEProductDesignerLite/customer/delete customer'' without a permission callback. This configuration allows unauthenticated access to the inkxe delete customer() function, which processes an array of user IDs from the request body and passes them to wp delete user() without performing authentication or authorization checks. Consequently, unauthenticated attackers can delete arbitrary WordPress user accounts, including administrator accounts, resulting in complete site lockout and data loss.

Recommendations Update to a version later than 2.1.2. As a temporary workaround, restrict access to the ''/wp-json/InkXEProductDesignerLite/customer/delete customer'' endpoint.