CVE-2026-3599

Name of the Vulnerable Software and Affected Versions Riaxe Product Customizer versions prior to 2.1.3

Description An issue exists in the Riaxe Product Customizer plugin for WordPress where unauthenticated attackers can append additional SQL queries to existing ones to extract sensitive information from the database. This occurs due to insufficient escaping of user-supplied parameters and inadequate preparation of the SQL query. The flaw is located in the 'options' parameter keys within product data of the '/wp-json/InkXEProductDesignerLite/add-item-to-cart' REST API endpoint.

Recommendations Update the plugin to a version later than 2.1.2. As a temporary workaround, restrict access to the '/wp-json/InkXEProductDesignerLite/add-item-to-cart' REST API endpoint or avoid using the product data parameter until a patch is applied.