CVE-2026-3474 MEDIUM

CVE-2026-3474: EmailKit <= 1.6.3 - Authenticated (Administrator+) Path Traversal via 'emailkit-editor-template' REST API Parameter

Vendor Roxnor
Product EmailKit – Email Customizer for WooCommerce & WP
Weakness CWE-22 · Path traversal
Published March 20, 2026
Last update April 8, 2026

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 1.6.3. This is due to the action() function in the TemplateData class passing user-supplied input from the 'emailkit-editor-template' REST API parameter directly to file_get_contents() without any path validation, sanitization, or restriction to an allowed directory. This makes it possible for authenticated attackers, with Administrator-level access, to read arbitrary files on the server (such as /etc/passwd or wp-config.php) by supplying a traversal path. The file contents are stored as post meta and can subsequently be retrieved via the fetch-data REST API endpoint. Notably, the CheckForm class in the same plugin implements proper path validation using realpath() and directory restriction, demonstrating that the developer was aware of the risk but failed to apply the same protections to the TemplateData endpoint.

Explanation of Vulnerability in Simple Terms

02Summary

EmailKit for WooCommerce & WordPress contains a path traversal vulnerability in versions up to 1.6.3. An authenticated administrator can read arbitrary files from the server by manipulating file paths. The vulnerability requires high-level admin access and does not allow file modification or deletion. Site owners should update immediately to a patched version.

What an attacker can do

03Attacker Capabilities

Read arbitrary files from the server filesystem.

Potential impact on your site

04Site Impact

An admin account (compromised or malicious) can access sensitive files like database configs or private keys.

Conditions required to exploit

05Prerequisites

Attacker must have WordPress administrator privileges.

Key dates

06Disclosure timeline

March 20, 2026 CVE published
April 8, 2026 Record updated