What is the CVSS score of CVE-2026-42661?

CVE-2026-42661 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of WP Customer Area are affected by CVE-2026-42661?

A critical access control vulnerability in WP Customer Area WordPress plugin (versions through 8.3.4) enables restricted employees or contractors with limited-privilege plugin access to reach…

How to fix or mitigate CVE-2026-42661?

Within 24 hours: Audit all WordPress installations for WP Customer Area plugin versions through 8.3.4; inventory all users assigned low-privilege custom roles. Within 7 days: Restrict or disable non-essential low-privilege custom role access to the plugin; implement file-access logging and alerting for plugin directories. Within 30 days: Monitor vendor advisory and plugin repository for patch release; plan migration to alternative plugin if no security update within 60 days.

WP Customer Area CVE-2026-42661

EUVD-2026-36826 HIGH

Path Traversal: '.../...//' (CWE-35)

2026-06-15 Patchstack

GHSA-5cvj-q53x-r9m4

Path Traversal Wp Customer Area

8.8

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

8.8 HIGH

Reachable over the network via the WordPress site (AV:N/AC:L), requires a plugin custom-role account (PR:L), no user interaction, and arbitrary file read/write yields high CIA impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 21:59 vuln.today

DescriptionCVE.org

Custom role Path Traversal in WP Customer Area <= 8.3.4 versions.

AnalysisAI

Authenticated path traversal in the WP Customer Area WordPress plugin through version 8.3.4 allows users with low-privilege custom roles to escape intended directory boundaries and access or manipulate files outside the plugin's permitted scope. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates network-reachable exploitation by authenticated users with high impact across confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify WP Customer Area on target site

Delivery

Exploit

Send request with traversal sequence to plugin endpoint

Install

Bypass path normalization (CWE-35)

Read or write file outside plugin directory

Execute

Exfiltrate wp-config.php / overwrite site files

Impact

Escalate to full WordPress compromise

Recon

Identify WP Customer Area on target site

Delivery

Exploit

Send request with traversal sequence to plugin endpoint

Install

Bypass path normalization (CWE-35)

Read or write file outside plugin directory

Execute

Exfiltrate wp-config.php / overwrite site files

Impact

Escalate to full WordPress compromise

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) a WordPress site running WP Customer Area plugin version 8.3.4 or earlier, (2) the attacker holding a valid account assigned to one of the plugin's custom roles - the 'custom role' wording in the description indicates the traversal is reached through functionality gated to plugin-defined roles rather than fully anonymous endpoints, consistent with CVSS PR:L - and (3) network reachability to the WordPress front end (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 base score of 8.8 reflects network attack vector, low complexity, low privileges, no user interaction, and high CIA impact - a serious profile for a WordPress plugin used on customer-facing portals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers or is granted a low-privilege custom role on a WordPress site running WP Customer Area 8.3.4 or earlier, then submits a crafted request to a plugin endpoint that accepts a file path parameter, inserting traversal sequences such as ../../wp-config.php to step out of the plugin's customer-area directory. The plugin resolves the path without proper normalization and reads, writes, or serves the targeted file, letting the attacker exfiltrate WordPress database credentials, overwrite site files, or stage further compromise. …
Remediation	Patch available per vendor advisory: upgrade the WP Customer Area plugin to a version newer than 8.3.4 as described in the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/customer-area/vulnerability/wordpress-wp-customer-area-plugin-8-3-4-path-traversal-vulnerability); the exact fixed release number is not included in the provided intelligence and should be confirmed against the plugin's WordPress.org page before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for WP Customer Area plugin versions through 8.3.4; inventory all users assigned low-privilege custom roles. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-42661 vulnerability details – vuln.today

Back

WP Customer Area CVE-2026-42661

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code