EUVD-2026-23186CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied parameter and insufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
SQL injection in Riaxe Product Customizer for WordPress (all versions ≤2.1.2) allows unauthenticated remote attackers to extract sensitive database contents via crafted REST API requests. The vulnerability exists in the /wp-json/InkXEProductDesignerLite/add-item-to-cart endpoint where the 'options' parameter keys within 'product_data' lack proper SQL escaping. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all WordPress instances running Riaxe Product Customizer and document current versions via plugin inventory or WPScan audits. Within 7 days: Disable or remove the plugin from all production environments running versions ≤2.1.2; if plugin functionality is required, migrate to an alternative product customizer with current security patches or contact Riaxe for timeline on version 2.1.3+. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today