Riaxe Product Customizer Authorization Bypass Vulnerability Allowing Unauthenticated User Deletion

Vulnerability

An authorization bypass vulnerability has been identified in the Riaxe Product Customizer plugin for WordPress, affecting all versions through 2.1.2. The vulnerability arises because the plugin registers a REST API route for deleting customers without proper authorization checks. This oversight allows unauthenticated attackers to delete any WordPress user account, including those of administrators, resulting in complete site lockout and potential data loss.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of WordPress user accounts, including administrators, leading to a complete site lockout and loss of data associated with the deleted accounts.

Added: Apr 16, 2026, 6:32 AM

Updated: Apr 16, 2026, 6:32 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

6.0

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

6.0

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Riaxe Product Customizer Authorization Bypass Vulnerability Allowing Unauthenticated User Deletion

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating