CVE-2026-2296
Received Received - Intake
Code Injection in WooCommerce Product Addons Plugin Allows PHP Execution

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: Wordfence

Description
The Product Addons for Woocommerce – Product Options with Custom Fields plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 3.1.0. This is due to insufficient input validation of the 'operator' field in conditional logic rules within the evalConditions() function, which passes unsanitized user input directly to PHP's eval() function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject and execute arbitrary PHP code on the server via the conditional logic 'operator' parameter when saving addon form field rules.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2296
EUVD
EUVD-2026-8083
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
woocommerce custom_product_addons to 3.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "The vulnerability in CVE-2026-2296 affects the Product Addons for WooCommerce – Product Options with Custom Fields plugin for WordPress, specifically all versions up to and including 3.1.0. It arises from insufficient input validation of the 'operator' field in conditional logic rules within the evalConditions() function. This function uses PHP's eval() to execute dynamically constructed logical expressions based on user input."}, {'type': 'paragraph', 'content': "Because the 'operator' parameter is not properly sanitized, authenticated attackers with Shop Manager-level access or higher can inject and execute arbitrary PHP code on the server by manipulating the conditional logic 'operator' when saving addon form field rules."}, {'type': 'paragraph', 'content': 'Technically, the vulnerability stems from unsafe evaluation of conditional logic rules where user-supplied data influences PHP code executed via eval(), leading to potential code injection or arbitrary code execution.'}] [3, 4]

Impact Analysis

This vulnerability can have serious impacts because it allows an authenticated user with Shop Manager-level permissions or higher to execute arbitrary PHP code on the server hosting the WordPress site.

  • Arbitrary code execution could lead to full server compromise.
  • Attackers could manipulate or steal sensitive data stored on the server.
  • It could result in defacement, data loss, or unauthorized access to other parts of the system.
  • The vulnerability could also be used to install backdoors or malware, leading to persistent threats.

Overall, the vulnerability poses a high risk to the confidentiality, integrity, and availability of the affected system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves unsafe evaluation of conditional logic rules in the WooCommerce Custom Product Addons plugin, specifically in the 'operator' field passed to PHP's eval() function. Detection involves identifying if the vulnerable plugin version (up to and including 3.1.0) is installed and if suspicious or unauthorized modifications to conditional logic rules exist."}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can check the installed version of the WooCommerce Custom Product Addons plugin. If it is version 3.1.0 or earlier, the system is vulnerable.'}, {'type': 'list_item', 'content': 'On the WordPress server, run a command to check the plugin version, for example:'}, {'type': 'list_item', 'content': "grep -r 'Version:' wp-content/plugins/woo-custom-product-addons/readme.txt"}, {'type': 'paragraph', 'content': 'Additionally, you can search for suspicious conditional logic rules or unexpected PHP code injections in the database or plugin files.'}, {'type': 'list_item', 'content': 'Use WP-CLI to list plugin versions: wp plugin list --status=active'}, {'type': 'list_item', 'content': "Search the database for suspicious 'operator' field values in addon form field rules that might contain PHP code or unexpected characters."}, {'type': 'paragraph', 'content': "Network detection might involve monitoring for unusual POST requests to the plugin's endpoints that include the 'operator' parameter with suspicious payloads, but specific commands for network detection are not provided in the available resources."}] [2, 3, 4]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to update the WooCommerce Custom Product Addons plugin to version 3.1.1 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "The update sanitizes and validates the logical operators used in conditional logic rules, ensuring only allowed operators ('and', 'or', '&&', '||') are processed, preventing unsafe evaluation and code injection."}, {'type': 'list_item', 'content': 'Backup your WordPress site and database before applying updates.'}, {'type': 'list_item', 'content': 'Update the plugin via the WordPress admin dashboard or manually replace plugin files with version 3.1.1.'}, {'type': 'list_item', 'content': 'Review and audit conditional logic rules in addon form fields to ensure no malicious code has been injected.'}, {'type': 'paragraph', 'content': 'Additionally, restrict Shop Manager-level access and above to trusted users only, as the vulnerability requires authenticated users with such privileges.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2296. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart