CVE-2026-3474 in EmailKit Plugin
Summary
by MITRE • 03/21/2026
The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 1.6.3. This is due to the action() function in the TemplateData class passing user-supplied input from the 'emailkit-editor-template' REST API parameter directly to file_get_contents() without any path validation, sanitization, or restriction to an allowed directory. This makes it possible for authenticated attackers, with Administrator-level access, to read arbitrary files on the server (such as /etc/passwd or wp-config.php) by supplying a traversal path. The file contents are stored as post meta and can subsequently be retrieved via the fetch-data REST API endpoint. Notably, the CheckForm class in the same plugin implements proper path validation using realpath() and directory restriction, demonstrating that the developer was aware of the risk but failed to apply the same protections to the TemplateData endpoint.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-3474 resides within the EmailKit plugin for WordPress, specifically affecting versions up to and including 1.6.3. This issue represents a critical path traversal flaw that enables authenticated attackers with administrator privileges to access arbitrary files on the compromised server. The vulnerability stems from improper input validation within the TemplateData class where the action() function directly incorporates user-supplied data from the 'emailkit-editor-template' REST API parameter into file_get_contents() operations without any sanitization or directory restriction measures. This flaw operates at the core of the plugin's file handling mechanisms, creating a direct pathway for unauthorized file access that bypasses normal security controls. The vulnerability is particularly concerning because it allows attackers to read sensitive system files such as /etc/passwd or wp-config.php, which contain critical authentication and configuration information that could lead to complete system compromise.
The technical implementation of this vulnerability follows a well-established pattern of insecure file operations that aligns with CWE-22 Path Traversal vulnerabilities. The flaw demonstrates a clear failure in input validation where the plugin's developers failed to implement proper sanitization measures before processing user-supplied file paths. The REST API endpoint serves as the attack vector, accepting the malicious input through the emailkit-editor-template parameter and then passing this unvalidated data directly to the file system operations. This design choice creates an attack surface that can be exploited by any authenticated user with administrator privileges, significantly reducing the attack requirements compared to scenarios requiring additional exploitation steps. The vulnerability's impact is amplified by the fact that the plugin's architecture stores file contents as post meta data, which can then be retrieved through the fetch-data REST API endpoint, creating a complete information extraction chain.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with access to critical system configuration files that could contain database credentials, API keys, and other sensitive information. When combined with the plugin's existing functionality for managing email templates, attackers can potentially extract not only system files but also the contents of email templates and associated configuration data. The fact that this vulnerability affects a widely used plugin like EmailKit for WooCommerce means that the attack surface is extensive, potentially impacting numerous WordPress installations. The compromise of wp-config.php specifically exposes database connection details and cryptographic keys, which could enable attackers to escalate their privileges within the WordPress environment and potentially access other systems within the network infrastructure.
The security implications of this vulnerability are particularly severe when considering that the plugin developers had previously implemented proper security measures in the CheckForm class using realpath() and directory restriction techniques. This demonstrates that the developers were aware of the path traversal risk and had the knowledge and tools to implement proper protections. The inconsistent security implementation across different components of the same plugin indicates either a lack of thorough security review or an oversight during the development process. This pattern of partial security implementation creates a false sense of security for users while leaving critical components vulnerable to exploitation. The vulnerability's classification as a path traversal issue places it within the ATT&CK framework under T1059 Command and Scripting Interpreter and T1566 Credential Access, highlighting both the execution and information gathering aspects of the attack vector. Organizations should immediately implement mitigation strategies including updating to patched versions, implementing proper access controls, and monitoring for unauthorized access attempts to REST API endpoints. The vulnerability serves as a reminder of the critical importance of consistent security implementation across all components of software applications and the necessity of comprehensive security testing including code reviews and vulnerability assessments.