{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4001", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-11T18:29:35.330Z", "datePublished": "2026-03-23T23:25:48.659Z", "dateUpdated": "2026-04-08T17:00:23.860Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:23.860Z"}, "affected": [{"vendor": "acowebs", "product": "Woocommerce Custom Product Addons Pro", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: \"custom\" with {this.value})."}], "title": "Woocommerce Custom Product Addons Pro <= 5.4.1 - Unauthenticated Remote Code Execution via Custom Pricing Formula", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70a2b6ff-defc-4722-9af9-3cae94e98632?source=cve"}, {"url": "https://acowebs.com/woo-custom-product-addons/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "cweId": "CWE-95", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ren Voza"}], "timeline": [{"time": "2026-03-17T15:37:35.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-23T10:53:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:37:42.756099Z", "id": "CVE-2026-4001", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:38:08.873Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4001", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T13:37:42.756099Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:38:04.818Z"}}], "cna": {"title": "Woocommerce Custom Product Addons Pro <= 5.4.1 - Unauthenticated Remote Code Execution via Custom Pricing Formula", "credits": [{"lang": "en", "type": "finder", "value": "Ren Voza"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "acowebs", "product": "Woocommerce Custom Product Addons Pro", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.4.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-17T15:37:35.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-23T10:53:48.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70a2b6ff-defc-4722-9af9-3cae94e98632?source=cve"}, {"url": "https://acowebs.com/woo-custom-product-addons/"}], "descriptions": [{"lang": "en", "value": "The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: \"custom\" with {this.value})."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-95", "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-23T23:25:48.659Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4001", "state": "PUBLISHED", "dateUpdated": "2026-03-24T13:38:08.873Z", "dateReserved": "2026-03-11T18:29:35.330Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-23T23:25:48.659Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: \"custom\" with {this.value})."}, {"lang": "es", "value": "El plugin Woocommerce Custom Product Addons Pro para WordPress es vulnerable a ejecuci\u00f3n remota de c\u00f3digo en todas las versiones hasta la 5.4.1, inclusive, a trav\u00e9s de la f\u00f3rmula de precios personalizada eval() en la funci\u00f3n process_custom_formula() dentro de includes/process/price.php. Esto se debe a una sanitizaci\u00f3n y validaci\u00f3n insuficientes de los valores de campo enviados por el usuario antes de pasarlos a la funci\u00f3n eval() de PHP. El m\u00e9todo sanitize_values() elimina las etiquetas HTML pero no escapa las comillas simples ni previene la inyecci\u00f3n de c\u00f3digo PHP. Esto hace posible que atacantes no autenticados ejecuten c\u00f3digo arbitrario en el servidor al enviar un valor manipulado a un campo de texto de WCPA configurado con una f\u00f3rmula de precios personalizada (pricingType: 'custom' con {this.value})."}], "id": "CVE-2026-4001", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-24T00:16:31.040", "references": [{"source": "security@wordfence.com", "url": "https://acowebs.com/woo-custom-product-addons/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70a2b6ff-defc-4722-9af9-3cae94e98632?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-95"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.4.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Woocommerce Custom Product Addons Pro", "source": "cna", "vendor": "acowebs"}, "product": "woocommerce_custom_product_addons_pro", "vendor": "acowebs"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-24T03:55:09.707665+00:00", "value": {"mitigation_remediation": ["Update the WooCommerce Custom Product Addons Pro plugin to the latest version (5.4.2 or newer) which removes the eval() call from custom pricing.", "If an immediate update is not possible, disable the custom pricing feature on all addon products or set pricingType to \"none\" to prevent evaluation of user input.", "Limit WordPress administrator access to trusted personnel only and enforce strong authentication controls.", "Verify that any remaining custom pricing formulas are strictly numeric and free of quotes or PHP syntax before evaluating them.", "Monitor server logs for unexpected eval usage or malformed pricing inputs and react promptly to any suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Vendors from acowebs offer the WooCommerce Custom Product Addons Pro plugin for WordPress. All releases up to and including version 5.4.1 are affected. Sites running WordPress with any of these plugin versions should be considered vulnerable until the issue is addressed or the plugin is updated to a patched release.", "description_and_impact": "The WooCommerce Custom Product Addons Pro plugin allows attackers to run arbitrary PHP code on the server without authentication. The vulnerability is triggered by the use of the eval() function on user\u2011submitted custom pricing formulas. Because the input is only stripped of HTML tags and not escaped, an attacker can inject PHP code via a custom pricing field (pricingType: \"custom\") and cause the server to execute that code. This gives the attacker full control over the affected WordPress site, including data theft, defacement, or further compromise.", "risk_and_exploitability": "The CVSS base score is 9.8, indicating a critical severity. EPSS data is not available, but the high CVSS score alone signals a very high likelihood of exploitation. The vulnerability is not listed in KEV, but its nature\u2014unauthenticated remote code execution\u2014makes it a prime target for automated attacks. Based on the description, the likely attack vector is the public website\u2019s product configuration interface; no authentication is required to submit malicious pricing formulas."}}}}, "created": "2026-03-24T10:29:56.714776+00:00", "updated": "2026-03-25T20:36:04.215999+00:00", "vendors": ["acowebs", "acowebs$PRODUCT$woocommerce_custom_product_addons_pro", "wordpress", "wordpress$PRODUCT$wordpress"]}