{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2296", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-10T16:23:25.321Z", "datePublished": "2026-02-18T06:42:43.286Z", "dateUpdated": "2026-04-08T17:16:46.472Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:46.472Z"}, "affected": [{"vendor": "acowebs", "product": "Product Addons for Woocommerce \u2013 Product Options with Custom Fields", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Product Addons for Woocommerce \u2013 Product Options with Custom Fields plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 3.1.0. This is due to insufficient input validation of the 'operator' field in conditional logic rules within the evalConditions() function, which passes unsanitized user input directly to PHP's eval() function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject and execute arbitrary PHP code on the server via the conditional logic 'operator' parameter when saving addon form field rules."}], "title": "Product Addons for Woocommerce \u2013 Product Options with Custom Fields <= 3.1.0 - Authenticated (Shop Manager+) Code Injection via Conditional Logic 'operator' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c1edd7-2421-4dfa-8775-ca0497759d52?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-custom-product-addons/trunk/includes/process/conditional-logic.php#L104"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-custom-product-addons/tags/3.0.19/includes/process/conditional-logic.php#L104"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-custom-product-addons/trunk/includes/process/conditional-logic.php#L84"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-custom-product-addons/tags/3.0.19/includes/process/conditional-logic.php#L84"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3458823%40woo-custom-product-addons&new=3458823%40woo-custom-product-addons&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Phap Nguyen Anh"}], "timeline": [{"time": "2026-02-10T17:26:11.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T18:40:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T14:30:42.906874Z", "id": "CVE-2026-2296", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T14:32:00.396Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2296", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-18T14:30:42.906874Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T14:30:48.512Z"}}], "cna": {"title": "Product Addons for Woocommerce \u2013 Product Options with Custom Fields <= 3.1.0 - Authenticated (Shop Manager+) Code Injection via Conditional Logic 'operator' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Phap Nguyen Anh"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "acowebs", "product": "Product Addons for Woocommerce \u2013 Product Options with Custom Fields", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-10T17:26:11.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T18:40:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c1edd7-2421-4dfa-8775-ca0497759d52?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-custom-product-addons/trunk/includes/process/conditional-logic.php#L104"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-custom-product-addons/tags/3.0.19/includes/process/conditional-logic.php#L104"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-custom-product-addons/trunk/includes/process/conditional-logic.php#L84"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-custom-product-addons/tags/3.0.19/includes/process/conditional-logic.php#L84"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3458823%40woo-custom-product-addons&new=3458823%40woo-custom-product-addons&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Product Addons for Woocommerce \u2013 Product Options with Custom Fields plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 3.1.0. This is due to insufficient input validation of the 'operator' field in conditional logic rules within the evalConditions() function, which passes unsanitized user input directly to PHP's eval() function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject and execute arbitrary PHP code on the server via the conditional logic 'operator' parameter when saving addon form field rules."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:46.472Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2296", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:16:46.472Z", "dateReserved": "2026-02-10T16:23:25.321Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T06:42:43.286Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Product Addons for Woocommerce \u2013 Product Options with Custom Fields plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 3.1.0. This is due to insufficient input validation of the 'operator' field in conditional logic rules within the evalConditions() function, which passes unsanitized user input directly to PHP's eval() function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject and execute arbitrary PHP code on the server via the conditional logic 'operator' parameter when saving addon form field rules."}, {"lang": "es", "value": "El plugin Product Addons para Woocommerce \u2013 Product Options with Custom Fields para WordPress es vulnerable a la Inyecci\u00f3n de C\u00f3digo en todas las versiones hasta la 3.1.0, inclusive. Esto se debe a una validaci\u00f3n de entrada insuficiente del campo 'operator' en las reglas de l\u00f3gica condicional dentro de la funci\u00f3n evalConditions(), que pasa la entrada de usuario no saneada directamente a la funci\u00f3n eval() de PHP. Esto hace posible que atacantes autenticados, con acceso de nivel de 'Shop Manager' o superior, inyecten y ejecuten c\u00f3digo PHP arbitrario en el servidor a trav\u00e9s del par\u00e1metro 'operator' de la l\u00f3gica condicional al guardar las reglas de los campos del formulario de complemento."}], "id": "CVE-2026-2296", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T07:16:10.630", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-custom-product-addons/tags/3.0.19/includes/process/conditional-logic.php#L104"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-custom-product-addons/tags/3.0.19/includes/process/conditional-logic.php#L84"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-custom-product-addons/trunk/includes/process/conditional-logic.php#L104"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-custom-product-addons/trunk/includes/process/conditional-logic.php#L84"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3458823%40woo-custom-product-addons&new=3458823%40woo-custom-product-addons&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c1edd7-2421-4dfa-8775-ca0497759d52?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Product Addons for Woocommerce \u2013 Product Options with Custom Fields", "source": "cna", "vendor": "acowebs"}, "product": "product_addons_for_woocommerce_\u2013_product_options_with_custom_fields", "vendor": "acowebs"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:17:05.664715+00:00", "value": {"mitigation_remediation": ["Upgrade Product Addons for Woocommerce to a version newer than 3.1.0.", "Disable the plugin's conditional logic rules or restrict them to trusted users until the upgrade is applied.", "Restrict Shop Manager-level access to the minimum necessary users and monitor for unauthorized conditional logic modifications."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary PHP code execution"}, "threat_synthesis": {"affected_systems": "All WordPress sites installing the Product Addons for Woocommerce \u2013 Product Options with Custom Fields plugin version 3.1.0 or earlier are affected. Users must verify the plugin version in the WordPress admin area; if the installed version is 3.1.0 or earlier, the site is vulnerable.", "description_and_impact": "The Product Addons for Woocommerce \u2013 Product Options with Custom Fields plugin (WordPress) contains a code injection vulnerability in all versions up to 3.1.0. The flaw arises from insufficient validation of the 'operator' field in conditional logic rules within the evalConditions() function, which forwards raw user input to PHP's eval() function. An attacker with Shop Manager-level access can inject and execute arbitrary PHP code on the server when saving addon form field rules, leading to full system compromise. This flaw maps to CWE-94.", "risk_and_exploitability": "The CVSS score is 7.2, indicating high severity. EPSS is reported as <1%, suggesting that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The attack requires authenticated access within the shop administration, typically a Shop Manager or higher, but once achieved, it gives remote code execution capabilities. The low EPSS indicates that exploitation may be limited or hidden, yet the impact makes the vulnerability highly dangerous if discovered."}}}}, "created": "2026-02-18T10:32:34.618522+00:00", "updated": "2026-04-15T18:30:10.935127+00:00", "vendors": ["acowebs", "acowebs$PRODUCT$product_addons_for_woocommerce_\u2013_product_options_with_custom_fields", "wordpress", "wordpress$PRODUCT$wordpress"]}