CVE-2026-4001
Received Received - Intake
Remote Code Execution in WooCommerce Custom Product Addons Pro

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: Wordfence

Description
The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" with {this.value}).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Affected Vendors & Products
Vendor Product Version
acowebs woocommerce_custom_product_addons to 5.4.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Woocommerce Custom Product Addons Pro plugin for WordPress has a Remote Code Execution vulnerability in all versions up to and including 5.4.1. This occurs because the plugin uses PHP's eval() function on user-submitted custom pricing formulas without sufficient sanitization or validation. Although the plugin strips HTML tags, it does not escape single quotes or prevent PHP code injection, allowing unauthenticated attackers to execute arbitrary code on the server by submitting crafted values to a text field configured with a custom pricing formula.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability exists in all versions of the Woocommerce Custom Product Addons Pro plugin up to and including 5.4.1. Immediate mitigation steps include updating the plugin to a version later than 5.4.1 where the issue is fixed.

If an update is not immediately possible, consider disabling or removing the plugin to prevent exploitation.

Additionally, review and restrict user input fields that use custom pricing formulas to prevent untrusted input from reaching the eval() function.


How can this vulnerability impact me? :

This vulnerability can have severe impacts as it allows unauthenticated attackers to execute arbitrary code on the server hosting the WordPress site. This can lead to full compromise of the server, including data theft, data loss, defacement of the website, installation of malware, or using the server as a launchpad for further attacks.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart
Meta Information
CVE Publication Date:
2026-03-24
CVE Last Modified Date:
2026-03-24
Report Generation Date:
2026-03-24
AI Powered Q&A Generation:
2026-03-24
EPSS Last Evaluated Date:
N/A
NVD Report Link:
EUVD Report Link: