VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 10 known issues Latest disclosed Apr 17, 2026

WP Customer Area Vulnerabilities

Review known vulnerability records for the WordPress plugin WP Customer Area (`customer-area`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-3464, CVE-2025-60201 and CVE-2025-49982, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
10
High or Critical
3
Patch Coverage
100%
Last Updated
Apr 17, 2026
Priority CVE Quick Links

Fast paths into WP Customer Area CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
10
CVE-2026-3464 High 8.3.5
CVE-2026-3464 WP Customer Area Remote Code Execution

WP Customer Area <= 8.3.4 - Authenticated (Subscriber+) Arbitrary File Read/Deletion via ajax_attach_file

CVE-2022-4745 High 8.1.4
CVE-2022-4745 WP Customer Area Cross-Site Request Forgery

WP Customer Area <= 8.1.3 - Cross-Site Request Forgery

CVE-2025-60201 High No patch listed
CVE-2025-60201 WP Customer Area Local File Inclusion

Customer Area <= 8.2.7 - Unauthenticated Local File Inclusion

CVE-2024-0665 Medium 8.2.3
CVE-2024-0665 WP Customer Area Cross-Site Scripting

WP Customer Area <= 8.2.2 - Reflected Cross-Site Scripting

CVE-2017-18519 Medium 7.4.3
CVE-2017-18519 WP Customer Area Cross-Site Scripting

WP Customer Area <= 7.4.2 - Cross-Site Scripting

CVE-2025-49982 Medium No patch listed
CVE-2025-49982 WP Customer Area Vulnerability

WP Customer Area <= 8.2.5 - Missing Authorization

CVE-2024-12436 Medium 8.2.5
CVE-2024-12436 WP Customer Area Cross-Site Request Forgery

WP Customer Area <= 8.2.4 - Cross-Site Request Forgery to Bulk Deletion

CVE-2024-12280 Medium 8.2.5
CVE-2024-12280 WP Customer Area Cross-Site Request Forgery

WP Customer Area <= 8.2.4 - Cross-Site Request Forgery to Event Log Deletion

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WP Customer Area so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
10 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 3 high severity findings.
Recent CVEs
CVE-2026-3464, CVE-2025-60201 and CVE-2025-49982
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for WP Customer Area

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-3464
CVE-2026-3464: WP Customer Area <= 8.3.4 - Authenticated (Subscriber+) Arbitrary File Read/Deletion via ajax_attach_file

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajax_attach_file' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers with a role that...

Published
Apr 17, 2026
Patched Release
8.3.5
Affected Versions
Versions up to 8.3.4
Next Step
Update to 8.3.5 or newer if supported.
Open CVE-2026-3464 Report Open CVE Reference
Plugin High Patched: No CVE-2025-60201
CVE-2025-60201: Customer Area <= 8.2.7 - Unauthenticated Local File Inclusion

The Customer Area plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 8.2.7. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files....

Published
Jul 21, 2025
Patched Release
Not published
Affected Versions
Versions up to 8.2.7
Next Step
Open the full report for remediation notes and references.
Open CVE-2025-60201 Report Open CVE Reference
Plugin Medium Patched: No CVE-2025-49982
CVE-2025-49982: WP Customer Area <= 8.2.5 - Missing Authorization

The WP Customer Area plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 8.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an un...

Published
Jun 19, 2025
Patched Release
Not published
Affected Versions
Versions up to 8.2.5
Next Step
Open the full report for remediation notes and references.
Open CVE-2025-49982 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-12436
CVE-2024-12436: WP Customer Area <= 8.2.4 - Cross-Site Request Forgery to Bulk Deletion

The WP Customer Area plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.2.4. This is due to missing or incorrect nonce validation on the 'cuar-trash' action. This makes it possible for unauthenticated attackers to delete custo...

Published
Jan 06, 2025
Patched Release
8.2.5
Affected Versions
Versions up to 8.2.4
Next Step
Update to 8.2.5 or newer if supported.
Open CVE-2024-12436 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-12280
CVE-2024-12280: WP Customer Area <= 8.2.4 - Cross-Site Request Forgery to Event Log Deletion

The WP Customer Area plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.2.4. This is due to missing or incorrect nonce validation on the 'wpca-logs' page. This makes it possible for unauthenticated attackers to delete event lo...

Published
Jan 06, 2025
Patched Release
8.2.5
Affected Versions
Versions up to 8.2.4
Next Step
Update to 8.2.5 or newer if supported.
Open CVE-2024-12280 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-0665
CVE-2024-0665: WP Customer Area <= 8.2.2 - Reflected Cross-Site Scripting

The WP Customer Area plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 8.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

Published
Jan 23, 2024
Patched Release
8.2.3
Affected Versions
Versions up to 8.2.2
Next Step
Update to 8.2.3 or newer if supported.
Open CVE-2024-0665 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-6741
CVE-2023-6741: WP Customer Area <= 8.2.1 - Insecure Direct Object Reference to Address Modification

The WP Customer Area plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_address_for_owner function in all versions up to, and including, 8.2.0. This makes it possible for authenticated attackers, with subscriber-l...

Published
Jan 10, 2024
Patched Release
8.2.1
Affected Versions
Versions up to 8.2.0
Next Step
Update to 8.2.1 or newer if supported.
Open CVE-2023-6741 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-6824
CVE-2023-6824: WP Customer Area <= 8.2.0 - Insecure Direct Object Reference to Account Address Disclosure

The WP Customer Area plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_load_address_from_owner() function in all versions up to, and including, 8.2.0. This makes it possible for authenticated attackers with subscriber-...

Published
Jan 10, 2024
Patched Release
8.2.1
Affected Versions
Versions up to 8.2.0
Next Step
Update to 8.2.1 or newer if supported.
Open CVE-2023-6824 Report Open CVE Reference
Plugin High Patched: Yes CVE-2022-4745
CVE-2022-4745: WP Customer Area <= 8.1.3 - Cross-Site Request Forgery

The WP Customer Area plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.1.3. This is due to missing or incorrect nonce validation on several functions related to file and folder management. This makes it possible for unauthenticat...

Published
Jan 17, 2023
Patched Release
8.1.4
Affected Versions
Versions up to 8.1.3
Next Step
Update to 8.1.4 or newer if supported.
Open CVE-2022-4745 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2017-18519
CVE-2017-18519: WP Customer Area <= 7.4.2 - Cross-Site Scripting

The customer-area plugin before 7.4.3 for WordPress has XSS via admin pages.

Published
Nov 22, 2017
Patched Release
7.4.3
Affected Versions
Versions before 7.4.3
Next Step
Update to 7.4.3 or newer if supported.
Open CVE-2017-18519 Report Open CVE Reference