CVE-2026-3594 is a sensitive information exposure vulnerability in the Riaxe Product Customizer WordPress plugin. The issue arises because the REST API endpoint '/wp-json/InkXEProductDesignerLite/orders' is registered with a permission callback that always returns true, effectively disabling any authentication or authorization. As a result, unauthenticated users can query and retrieve WooCommerce order details including customer first and last names, customer IDs, order IDs, order totals, order dates, currencies, and order statuses. This vulnerability affects all versions up to and including 2.4 of the plugin. The CVSS 3.1 base score is 5.3, reflecting a medium severity impact due to the confidentiality breach without integrity or availability impact. No vendor advisory or patch links are currently provided, and the vulnerability is not related to a cloud service.

The vulnerability allows unauthenticated attackers to access sensitive customer and order information from WooCommerce stores using the affected plugin. This includes personally identifiable information such as customer names and IDs, as well as order details like totals, dates, currencies, and statuses. While the integrity and availability of the data are not affected, the confidentiality breach could lead to privacy violations and potential misuse of exposed data.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider disabling or restricting access to the vulnerable REST API endpoint if possible, or removing the Riaxe Product Customizer plugin if it is not essential. Monitoring for updates from the vendor imprintnext is recommended to apply any forthcoming patches promptly.