Cyber Posture

CVE-2026-3464

High

Published: 17 April 2026

Published
17 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0033 56.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajax_attach_file' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers…

more

with a role that an administrator grants access to (e.g., Subscriber) to to read the contents of arbitrary files on the server, which can contain sensitive information, or delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the insufficient file path validation in the ajax_attach_file function, preventing directory traversal for arbitrary file reads and deletions.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the vulnerability in WP Customer Area plugin versions up to 8.3.4 to eliminate the flaw.

AC-3 Access Enforcement partial match
prevent

Enforces approved authorizations to restrict low-privilege authenticated users from unauthorized file access and modification on the server.

Security SummaryAI

CVE-2026-3464 is a high-severity vulnerability (CVSS 3.1 score of 8.8) affecting the WP Customer Area plugin for WordPress in all versions up to and including 8.3.4. It stems from insufficient file path validation in the 'ajax_attach_file' function, enabling arbitrary file read and deletion on the server (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). Published on April 17, 2026, this flaw exposes WordPress sites using the plugin to potential compromise of sensitive data or critical system files.

Authenticated attackers with low-privilege roles, such as Subscriber (if granted access by an administrator), can exploit this over the network with no user interaction required. By crafting malicious requests to the vulnerable function, they can read contents of arbitrary files containing sensitive information or delete key files like wp-config.php, potentially leading to remote code execution through site disruption or reconfiguration.

The provided references point to specific locations in the plugin's source code for version 8.3.4, including JavaScript files (file-attachment-manager.js at line 170 and ftp-uploader.js at line 63) and PHP classes (private-file-addon.class.php at lines 844, 883, and 920), highlighting the inadequate path handling that allows directory traversal and unauthorized file operations. No patch or mitigation details are specified in the available information.

Details

CWE(s)
CWE-22

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
Why these techniques?

Path traversal in WordPress plugin enables public-facing app exploitation (T1190), arbitrary file reads for local data collection (T1005), and arbitrary deletions for file deletion/indicator removal (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References