CVE-2026-3464
Published: 17 April 2026
Summary
CVE-2026-3464 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient file path validation in the ajax_attach_file function, preventing directory traversal for arbitrary file reads and deletions.
Mandates timely remediation of the vulnerability in WP Customer Area plugin versions up to 8.3.4 to eliminate the flaw.
Enforces approved authorizations to restrict low-privilege authenticated users from unauthorized file access and modification on the server.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in WordPress plugin enables public-facing app exploitation (T1190), arbitrary file reads for local data collection (T1005), and arbitrary deletions for file deletion/indicator removal (T1070.004).
NVD Description
The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajax_attach_file' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers…
more
with a role that an administrator grants access to (e.g., Subscriber) to to read the contents of arbitrary files on the server, which can contain sensitive information, or delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Deeper analysisAI
CVE-2026-3464 is a high-severity vulnerability (CVSS 3.1 score of 8.8) affecting the WP Customer Area plugin for WordPress in all versions up to and including 8.3.4. It stems from insufficient file path validation in the 'ajax_attach_file' function, enabling arbitrary file read and deletion on the server (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). Published on April 17, 2026, this flaw exposes WordPress sites using the plugin to potential compromise of sensitive data or critical system files.
Authenticated attackers with low-privilege roles, such as Subscriber (if granted access by an administrator), can exploit this over the network with no user interaction required. By crafting malicious requests to the vulnerable function, they can read contents of arbitrary files containing sensitive information or delete key files like wp-config.php, potentially leading to remote code execution through site disruption or reconfiguration.
The provided references point to specific locations in the plugin's source code for version 8.3.4, including JavaScript files (file-attachment-manager.js at line 170 and ftp-uploader.js at line 63) and PHP classes (private-file-addon.class.php at lines 844, 883, and 920), highlighting the inadequate path handling that allows directory traversal and unauthorized file operations. No patch or mitigation details are specified in the available information.
Details
- CWE(s)