Riaxe Product Customizer plugin allows attackers to delete any WordPress user account

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

Riaxe Product Customizer plugin allows attackers to delete any WordPress user account

CVE-2026-3595

Summary

The Riaxe Product Customizer plugin for WordPress has a security flaw that allows anyone to delete any user account, including administrators, without needing a password. This could lead to a site being locked out and data being lost. Update the plugin to version 2.1.3 or later to fix this issue.

Original title

Original description

The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/delete_customer without a permission_callback, causing WordPress to default to allowing unauthenticated access, and the inkxe_delete_customer() callback function taking an array of user IDs from the request body and passing each one directly to wp_delete_user() without any authentication or authorization checks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress user accounts, including administrator accounts, leading to complete site lockout and data loss.

nvd CVSS3.1 5.3

Vulnerability type

CWE-862 Missing Authorization

Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026