CVE-2026-4001

Woocommerce Custom Product Addons Pro <= 5.4.1 - Unauthenticated Remote Code Execution via Custom Pricing Formula

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" with {this.value}).

El plugin Woocommerce Custom Product Addons Pro para WordPress es vulnerable a ejecución remota de código en todas las versiones hasta la 5.4.1, inclusive, a través de la fórmula de precios personalizada eval() en la función process_custom_formula() dentro de includes/process/price.php. Esto se debe a una sanitización y validación insuficientes de los valores de campo enviados por el usuario antes de pasarlos a la función eval() de PHP. El método sanitize_values() elimina las etiquetas HTML pero no escapa las comillas simples ni previene la inyección de código PHP. Esto hace posible que atacantes no autenticados ejecuten código arbitrario en el servidor al enviar un valor manipulado a un campo de texto de WCPA configurado con una fórmula de precios personalizada (pricingType: 'custom' con {this.value}).

*Credits: Ren Voza

CVSS Scores

Wordfencev3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2026-03-11 CVE Reserved
2026-03-23 CVE Published
2026-03-24 CVE Updated
2026-03-29 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CAPEC

References (2)

URL	Tag	Source
https://acowebs.com/woo-custom-product-addons
https://www.wordfence.com/threat-intel/vulnerabilities/id/70a2b6ff-defc-4722-9af9-3cae94e98632?source=cve

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Acowebs Search vendor "Acowebs"		Woocommerce Custom Product Addons Pro Search vendor "Acowebs" for product "Woocommerce Custom Product Addons Pro"				<= 5.4.1 Search vendor "Acowebs" for product "Woocommerce Custom Product Addons Pro" and version " <= 5.4.1"		en		Affected