{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2019", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-05T19:59:32.753Z", "datePublished": "2026-02-18T06:42:39.464Z", "dateUpdated": "2026-04-08T16:42:28.852Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:28.852Z"}, "affected": [{"vendor": "villatheme", "product": "Cart All In One For WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.21", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.1.21. This is due to insufficient input validation on the 'Assign page' field which is passed directly to the eval() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server."}], "title": "Cart All In One For WooCommerce <= 1.1.21 - Authenticated (Administrator+) Code Injection via 'sc_assign_page' Setting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25bdb89f-3478-4a1a-8bf0-46e88207eb21?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-cart-all-in-one/trunk/includes/frontend/sidebar-cart-icon.php#L245"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-cart-all-in-one/tags/1.1.21/includes/frontend/sidebar-cart-icon.php#L245"}, {"url": "https://plugins.trac.wordpress.org/changeset/3455202/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "cweId": "CWE-74", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Phap Nguyen Anh"}], "timeline": [{"time": "2026-02-05T20:14:41.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T18:22:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T20:25:58.273071Z", "id": "CVE-2026-2019", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:26:07.868Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2019", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-18T20:25:58.273071Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:26:03.743Z"}}], "cna": {"title": "Cart All In One For WooCommerce <= 1.1.21 - Authenticated (Administrator+) Code Injection via 'sc_assign_page' Setting", "credits": [{"lang": "en", "type": "finder", "value": "Phap Nguyen Anh"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "villatheme", "product": "Cart All In One For WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.21"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-05T20:14:41.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T18:22:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25bdb89f-3478-4a1a-8bf0-46e88207eb21?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-cart-all-in-one/trunk/includes/frontend/sidebar-cart-icon.php#L245"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-cart-all-in-one/tags/1.1.21/includes/frontend/sidebar-cart-icon.php#L245"}, {"url": "https://plugins.trac.wordpress.org/changeset/3455202/"}], "descriptions": [{"lang": "en", "value": "The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.1.21. This is due to insufficient input validation on the 'Assign page' field which is passed directly to the eval() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:28.852Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2019", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:42:28.852Z", "dateReserved": "2026-02-05T19:59:32.753Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T06:42:39.464Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.1.21. This is due to insufficient input validation on the 'Assign page' field which is passed directly to the eval() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server."}, {"lang": "es", "value": "El plugin Cart All In One para WooCommerce para WordPress es vulnerable a Inyecci\u00f3n de C\u00f3digo en todas las versiones hasta la 1.1.21, inclusive. Esto se debe a una validaci\u00f3n de entrada insuficiente en el campo 'Assign page' que se pasa directamente a la funci\u00f3n eval(). Esto hace posible que atacantes autenticados, con acceso de nivel de Administrador y superior, ejecuten c\u00f3digo PHP arbitrario en el servidor."}], "id": "CVE-2026-2019", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T07:16:10.273", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-cart-all-in-one/tags/1.1.21/includes/frontend/sidebar-cart-icon.php#L245"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-cart-all-in-one/trunk/includes/frontend/sidebar-cart-icon.php#L245"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3455202/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25bdb89f-3478-4a1a-8bf0-46e88207eb21?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Cart All In One For WooCommerce", "source": "cna", "vendor": "villatheme"}, "product": "cart_all_in_one_for_woocommerce", "vendor": "villatheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 70.0, "confidence_source": "inferred", "scores": [{"score": 70.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:24:48.372349+00:00", "value": {"mitigation_remediation": ["Upgrade the Cart All In One For WooCommerce plugin to a version newer than 1.1.21, which removes the eval() vulnerability.", "If an upgrade cannot be performed immediately, restrict access to the plugin\u2019s settings page or disable the 'Assign page' setting to prevent exploitation by administrators.", "As a temporary workaround, edit the plugin file sidebar-cart-icon.php to remove or comment out the eval() call that uses the 'sc_assign_page' value, ensuring that no unsanitized code is executed."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the Villatheme Cart All In One For WooCommerce WordPress plugin. All releases up to and including version 1.1.21 are impacted.", "description_and_impact": "The vulnerability exists in the Cart All In One For WooCommerce plugin, where an insufficiently validated input field named 'Assign page' is fed directly into the eval() function. This allows an authenticated user with Administrator-level access to insert arbitrary PHP code that will be executed on the server, compromising the entire site\u2019s confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 7.2 indicates high severity, though the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability requires administrative privileges (authenticated via standard WordPress login), so an attacker must first compromise or obtain legitimate admin credentials. Once privileged, the attacker can exploit the eval() call to run arbitrary code. The plugin is not listed in the CISA Known Exploited Vulnerabilities catalog, which limits current public exploitation activity."}}}}, "created": "2026-02-18T10:43:40.455995+00:00", "updated": "2026-04-15T20:30:13.778695+00:00", "vendors": ["villatheme", "villatheme$PRODUCT$cart_all_in_one_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}