Attack Vectors

EmailKit – Email Customizer for WooCommerce & WP (slug: emailkit) is affected by CVE-2026-3474, rated Medium severity (CVSS 4.9). The issue can be exploited by an authenticated attacker with Administrator-level (or higher) access through a REST API request parameter named emailkit-editor-template.

In practical business terms, this means the primary risk comes from scenarios where an admin account is misused: stolen admin credentials, shared admin accounts, compromised third-party agencies or contractors, or internal misuse. Because it is network-accessible (AV:N) and requires no user interaction (UI:N), exploitation can be automated once an attacker has qualifying access.

Security Weakness

The vulnerability is an arbitrary file read via path traversal in EmailKit versions up to and including 1.6.3. According to the published advisory, the plugin’s TemplateData class action() method passes user-supplied input from the emailkit-editor-template REST API parameter directly into file_get_contents() without path validation, sanitization, or limiting reads to an allowed templates directory.

This lack of validation can allow an attacker to request files outside the intended template locations, potentially including sensitive system or application files such as wp-config.php (WordPress configuration) or /etc/passwd on Linux-based hosts, if readable by the web process.

Technical or Business Impacts

The most significant impact is confidentiality exposure (C:H in the CVSS vector). If sensitive files are read, an attacker may obtain information that supports broader compromise—such as database connection details, security keys/salts, environment configuration, filesystem paths, or other operational secrets.

For business owners, marketing leaders, and compliance teams, this can translate into material risk: data protection and privacy obligations, incident response costs, potential downtime during containment, and reputational damage if customer or order-related systems are impacted. While the exploit requires Administrator access (PR:H), organizations should treat this as a serious indicator that admin account hygiene and plugin patch management directly affect business risk.

Remediation: Update EmailKit to version 1.6.4 or a newer patched release. Additionally, review who has Administrator access, remove unnecessary admin accounts, and ensure strong authentication practices are enforced for privileged users.

Similar Attacks

Path traversal and arbitrary file read issues are common because they can expose configuration files and secrets that enable follow-on compromise. Comparable, well-documented examples include:

CVE-2021-41773 (Apache HTTP Server 2.4.49 Path Traversal)
CVE-2020-11738 (WordPress Duplicator Plugin Directory Traversal / Arbitrary File Read)