Cyber Resilience

CVE-2026-3464

High

Published: 17 April 2026

Published
17 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0097 57.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3464 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3464 is a high-severity vulnerability (CVSS 3.1 score of 8.8) affecting the WP Customer Area plugin for WordPress in all versions up to and including 8.3.4. It stems from insufficient file path validation in the 'ajax_attach_file' function, enabling arbitrary file read and deletion on the server (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). Published on April 17, 2026, this flaw exposes WordPress sites using the plugin to potential compromise of sensitive data or critical system files.

Authenticated attackers with low-privilege roles, such as Subscriber (if granted access by an administrator), can exploit this over the network with no user interaction required. By crafting malicious requests to the vulnerable function, they can read contents of arbitrary files containing sensitive information or delete key files like wp-config.php, potentially leading to remote code execution through site disruption or reconfiguration.

The provided references point to specific locations in the plugin's source code for version 8.3.4, including JavaScript files (file-attachment-manager.js at line 170 and ftp-uploader.js at line 63) and PHP classes (private-file-addon.class.php at lines 844, 883, and 920), highlighting the inadequate path handling that allows directory traversal and unauthorized file operations. No patch or mitigation details are specified in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajax_attach_file' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers…

more

with a role that an administrator grants access to (e.g., Subscriber) to to read the contents of arbitrary files on the server, which can contain sensitive information, or delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Path traversal in WordPress plugin enables public-facing app exploitation (T1190), arbitrary file reads for local data collection (T1005), and arbitrary deletions for file deletion/indicator removal (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-30005Shared CWE-22
CVE-2026-33493Shared CWE-22
CVE-2025-70084Shared CWE-22
CVE-2026-25069Shared CWE-22
CVE-2026-33686Shared CWE-22
CVE-2025-9801Shared CWE-22
CVE-2018-25144Shared CWE-22
CVE-2024-54291Shared CWE-22
CVE-2026-4350Shared CWE-22
CVE-2025-66687Shared CWE-22

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient file path validation in the ajax_attach_file function, preventing directory traversal for arbitrary file reads and deletions.

prevent

Mandates timely remediation of the vulnerability in WP Customer Area plugin versions up to 8.3.4 to eliminate the flaw.

prevent

Enforces approved authorizations to restrict low-privilege authenticated users from unauthorized file access and modification on the server.

References