CVE-2026-3596

Name of the Vulnerable Software and Affected Versions Riaxe Product Customizer versions prior to 2.1.3

Description The plugin contains a privilege escalation flaw due to an unauthenticated AJAX action ''wp ajax nopriv install-imprint'' that maps to the ink pd add option() function. This function processes the option and opt value variables from $ POST and executes delete option() and add option() using these values without nonce verification, capability checks, or an option name allowlist. Unauthenticated attackers can update arbitrary WordPress options, which may be used to enable user registration and set the default user role to administrator, leading to full site takeover.

Recommendations Update to a version later than 2.1.2.