What the vulnerability does
01Description
The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint. The endpoint is registered with 'permission_callback' set to '__return_true', meaning no authentication or authorization checks are performed. The endpoint queries WooCommerce order data from the database and returns it to the requester, including customer first and last names, customer IDs, order IDs, order totals, order dates, currencies, and order statuses. This makes it possible for unauthenticated attackers to extract sensitive customer and order information from the WooCommerce store.
Explanation of Vulnerability in Simple Terms
02Summary
Riaxe Product Customizer versions 2.4 and earlier expose sensitive information that can be accessed over the network without authentication. An attacker can retrieve this data directly, potentially including configuration details or user information. Update to a version newer than 2.4 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive information from the application without logging in.
Potential impact on your site
04Site Impact
Sensitive data may be exposed to unauthorized parties if the site runs an affected version.
Conditions required to exploit
05Prerequisites
Network access to the application; no authentication or user interaction required.
Key dates
06Disclosure timeline
April 8, 2026
CVE published
April 8, 2026
Record updated
