CVE-2026-42661

Vulnerability

The WP Customer Area plugin for WordPress (versions up to and including 8.3.4) contains a path traversal vulnerability exploitable through custom roles. The flaw resides in the handling of file paths when user roles are used to access protected content. No special configuration beyond having a custom role assigned is required to reach the vulnerable code path. Versions ≤8.3.4 are affected [1].

Exploitation

An attacker must have a custom role assigned on a WordPress site running the vulnerable plugin. The attacker can then craft a request that traverses directories (e.g., using ../ sequences) to read arbitrary files outside the intended scope. Authentication is required, but the privilege level needed is a custom role, which may be a low-privilege role such as a subscriber or customer [1].

Impact

Successful exploitation allows the attacker to read arbitrary files from the server, potentially including sensitive files like wp-config.php that contain database credentials. This constitutes a confidentiality impact only; the CIA outcome is information disclosure. The attacker gains no write or execute capabilities from this vulnerability alone [1].

Mitigation

The vulnerability is fixed in version 8.3.5, released on or before June 15, 2026, per references [1]. Users are urged to update immediately. If immediate update is not possible, Patchstack provides a mitigation rule to block attacks [1]. No workarounds outside of updating or using a web application firewall (WAF) rule are documented.