CVE-2026-3474 is a CWE-22 path traversal vulnerability affecting the EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress, present in all versions up to and including 1.6.3. The root cause is the TemplateData class's action() function, which accepts user input from the 'emailkit-editor-template' parameter in the REST API and directly passes it to PHP's file_get_contents() function without any validation or restriction. This lack of path sanitization allows an authenticated attacker with administrator privileges to craft traversal sequences (e.g., ../../) to read arbitrary files on the server filesystem. The retrieved file contents are stored as post meta data and can be accessed later through the fetch-data REST API endpoint, facilitating exfiltration of sensitive information such as configuration files or system files. Interestingly, the plugin’s CheckForm class demonstrates awareness of path traversal risks by implementing realpath() checks and directory restrictions, but these safeguards were not applied to the TemplateData endpoint, indicating inconsistent security practices. The vulnerability requires administrator-level authentication but no additional user interaction, and it can be exploited remotely via the REST API. The CVSS 3.1 score of 4.9 reflects medium severity due to the need for high privileges and the read-only nature of the impact (confidentiality loss without integrity or availability impact). No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those hosting sensitive data or operating in regulated environments.

The primary impact of CVE-2026-3474 is unauthorized disclosure of sensitive server files, which can lead to information leakage of critical data such as database credentials (wp-config.php), system user information (/etc/passwd), or other confidential files stored on the server. This can facilitate further attacks like privilege escalation, lateral movement, or targeted exploitation by revealing system configurations and secrets. Since the vulnerability requires administrator-level access, it primarily threatens compromised or insider accounts but significantly lowers the barrier for attackers who have gained admin credentials through phishing or other means. The ability to read arbitrary files without integrity or availability impact limits the scope to confidentiality breaches; however, the stolen information can be leveraged for more damaging attacks. Organizations using WooCommerce and WordPress with this plugin are at risk, especially e-commerce sites handling customer data and payment information. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future exploitation. The vulnerability also highlights inconsistent security practices in plugin development, which may affect trust and compliance with security standards.

To mitigate CVE-2026-3474, organizations should immediately update the EmailKit – Email Customizer for WooCommerce & WP plugin to a patched version once available. Until a patch is released, restrict administrator access to trusted personnel only and monitor admin account activity closely. Implement Web Application Firewall (WAF) rules to detect and block REST API requests containing suspicious path traversal patterns targeting the 'emailkit-editor-template' parameter. Conduct thorough code reviews and penetration testing on custom or third-party plugins to identify similar path traversal flaws. Enforce the principle of least privilege by limiting administrator accounts and using multi-factor authentication to reduce the risk of credential compromise. Additionally, consider disabling or restricting REST API access for authenticated users if not required for business functions. For developers, apply consistent input validation and sanitization using realpath() and directory whitelisting for all file access operations, following the example of the CheckForm class. Regularly audit plugin security and maintain an inventory of installed plugins to quickly respond to vulnerabilities.