WP Customer Area
Moderate fix1 remedy
cpe:2.3:a:wp-customerarea:wp_customer_area:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 8.3.4
WP Customer Area Plugin Arbitrary File Read and Deletion Vulnerability
Vulnerability
Patched
A vulnerability in the WP Customer Area plugin for WordPress, affecting all versions through 8.3.4, allows authenticated attackers to read and delete arbitrary files on the server. This issue arises from inadequate file path validation in the 'ajax_attach_file' function. Attackers with a role granted access by an administrator, such as Subscriber, can exploit this vulnerability to access sensitive information or delete critical files, potentially leading to remote code execution.
Impact
Successful exploitation allows for unauthorized file access and deletion, with the possibility of executing remote code if certain files are removed.
Reproduction
To reproduce this vulnerability, an authenticated user with a role that has been granted access by an administrator (e.g., Subscriber) can use the 'ajax_attach_file' function. This can be done by sending a request that includes the 'post_id', 'filename', 'caption', 'source', and 'extra' parameters. The absence of proper file path validation allows for the manipulation of these parameters to access or delete files on the server.
Remediation
Users are advised to update the WP Customer Area plugin to version 8.3.5 or later.
Added: Apr 17, 2026, 5:37 PM
Updated: Apr 17, 2026, 5:37 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
6.7exploitability
6.4remediation
7.7relevance
6.2threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.