CVE-2026-2296
Code Injection in WooCommerce Product Addons Plugin Allows PHP Execution
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| woocommerce | custom_product_addons | to 3.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The vulnerability in CVE-2026-2296 affects the Product Addons for WooCommerce β Product Options with Custom Fields plugin for WordPress, specifically all versions up to and including 3.1.0. It arises from insufficient input validation of the 'operator' field in conditional logic rules within the evalConditions() function. This function uses PHP's eval() to execute dynamically constructed logical expressions based on user input."}, {'type': 'paragraph', 'content': "Because the 'operator' parameter is not properly sanitized, authenticated attackers with Shop Manager-level access or higher can inject and execute arbitrary PHP code on the server by manipulating the conditional logic 'operator' when saving addon form field rules."}, {'type': 'paragraph', 'content': 'Technically, the vulnerability stems from unsafe evaluation of conditional logic rules where user-supplied data influences PHP code executed via eval(), leading to potential code injection or arbitrary code execution.'}] [3, 4]
How can this vulnerability impact me? :
This vulnerability can have serious impacts because it allows an authenticated user with Shop Manager-level permissions or higher to execute arbitrary PHP code on the server hosting the WordPress site.
- Arbitrary code execution could lead to full server compromise.
- Attackers could manipulate or steal sensitive data stored on the server.
- It could result in defacement, data loss, or unauthorized access to other parts of the system.
- The vulnerability could also be used to install backdoors or malware, leading to persistent threats.
Overall, the vulnerability poses a high risk to the confidentiality, integrity, and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves unsafe evaluation of conditional logic rules in the WooCommerce Custom Product Addons plugin, specifically in the 'operator' field passed to PHP's eval() function. Detection involves identifying if the vulnerable plugin version (up to and including 3.1.0) is installed and if suspicious or unauthorized modifications to conditional logic rules exist."}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can check the installed version of the WooCommerce Custom Product Addons plugin. If it is version 3.1.0 or earlier, the system is vulnerable.'}, {'type': 'list_item', 'content': 'On the WordPress server, run a command to check the plugin version, for example:'}, {'type': 'list_item', 'content': "grep -r 'Version:' wp-content/plugins/woo-custom-product-addons/readme.txt"}, {'type': 'paragraph', 'content': 'Additionally, you can search for suspicious conditional logic rules or unexpected PHP code injections in the database or plugin files.'}, {'type': 'list_item', 'content': 'Use WP-CLI to list plugin versions: wp plugin list --status=active'}, {'type': 'list_item', 'content': "Search the database for suspicious 'operator' field values in addon form field rules that might contain PHP code or unexpected characters."}, {'type': 'paragraph', 'content': "Network detection might involve monitoring for unusual POST requests to the plugin's endpoints that include the 'operator' parameter with suspicious payloads, but specific commands for network detection are not provided in the available resources."}] [2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to update the WooCommerce Custom Product Addons plugin to version 3.1.1 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "The update sanitizes and validates the logical operators used in conditional logic rules, ensuring only allowed operators ('and', 'or', '&&', '||') are processed, preventing unsafe evaluation and code injection."}, {'type': 'list_item', 'content': 'Backup your WordPress site and database before applying updates.'}, {'type': 'list_item', 'content': 'Update the plugin via the WordPress admin dashboard or manually replace plugin files with version 3.1.1.'}, {'type': 'list_item', 'content': 'Review and audit conditional logic rules in addon form fields to ensure no malicious code has been injected.'}, {'type': 'paragraph', 'content': 'Additionally, restrict Shop Manager-level access and above to trusted users only, as the vulnerability requires authenticated users with such privileges.'}] [2]