{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-3596/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3596"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","privilege-escalation","cve-2026-3596","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Riaxe Product Customizer plugin for WordPress, versions 2.1.2 and earlier, contains a critical privilege escalation vulnerability (CVE-2026-3596). This flaw stems from an unauthenticated AJAX action, \u0026lsquo;wp_ajax_nopriv_install-imprint\u0026rsquo;, which is improperly secured. The corresponding function, \u003ccode\u003eink_pd_add_option()\u003c/code\u003e, allows unauthenticated users to modify arbitrary WordPress options by sending POST requests. There are no nonce checks, capability checks, or input validation performed on the \u0026lsquo;option\u0026rsquo; and \u0026lsquo;opt_value\u0026rsquo; parameters, making it trivial to manipulate sensitive site settings. Successful exploitation allows attackers to grant themselves administrative privileges. This vulnerability poses a significant risk to any WordPress site using the affected plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version of the Riaxe Product Customizer plugin (\u0026lt;= 2.1.2).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003einstall-imprint\u003c/code\u003e, triggering the vulnerable AJAX action \u003ccode\u003ewp_ajax_nopriv_install-imprint\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eoption\u003c/code\u003e parameter to \u003ccode\u003edefault_role\u003c/code\u003e and the \u003ccode\u003eopt_value\u003c/code\u003e parameter to \u003ccode\u003eadministrator\u003c/code\u003e within the POST request. This will change the default user role to administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eoption\u003c/code\u003e parameter to \u003ccode\u003eusers_can_register\u003c/code\u003e and the \u003ccode\u003eopt_value\u003c/code\u003e parameter to \u003ccode\u003e1\u003c/code\u003e within the POST request. This enables user registration on the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eink_pd_add_option()\u003c/code\u003e function executes, calling \u003ccode\u003edelete_option()\u003c/code\u003e and \u003ccode\u003eadd_option()\u003c/code\u003e with the attacker-supplied values, effectively updating the WordPress options table.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a new user account on the WordPress site.\u003c/li\u003e\n\u003cli\u003eBecause user registration is enabled and the default user role is set to administrator, the attacker\u0026rsquo;s new account is granted administrator privileges, allowing full control over the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3596 allows unauthenticated attackers to gain complete control over a vulnerable WordPress website. This can lead to website defacement, data theft, malware distribution, and denial of service. Given the widespread use of WordPress, this vulnerability has the potential to affect a large number of websites across various sectors. A successful attack would result in the attacker having the same access as the original website administrator.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately remove the Riaxe Product Customizer plugin from WordPress installations if it is present. This will eliminate the attack vector (plugin removal).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category: \u003ccode\u003ewebserver\u003c/code\u003e, product: \u003ccode\u003elinux\u003c/code\u003e or \u003ccode\u003ewindows\u003c/code\u003e) for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003einstall-imprint\u003c/code\u003e using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eConsider implementing a Web Application Firewall (WAF) rule to block requests matching the exploit pattern described in the Attack Chain.\u003c/li\u003e\n\u003cli\u003eReview WordPress user accounts for any unauthorized administrators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T06:16:15Z","date_published":"2026-04-16T06:16:15Z","id":"/briefs/2026-04-wordpress-privesc/","summary":"The Riaxe Product Customizer plugin for WordPress is vulnerable to privilege escalation, allowing unauthenticated attackers to update arbitrary WordPress options via a publicly accessible AJAX endpoint and escalate privileges to administrator.","title":"Riaxe Product Customizer WordPress Plugin Privilege Escalation Vulnerability (CVE-2026-3596)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-3596","version":"https://jsonfeed.org/version/1.1"}