CVE-2026-4001

Critical

Published: 24 March 2026

Published

24 March 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0020 41.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient…

sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" with {this.value}).

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the CVE's root cause by requiring validation and sanitization of user-submitted values in custom pricing fields before passing to PHP's eval() function.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the flaw in Woocommerce Custom Product Addons Pro versions up to 5.4.1 through patching or upgrades as per vendor advisories.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning detects the RCE flaw (CVE-2026-4001) in the plugin, enabling proactive mitigation before exploitation.

Security SummaryAI

CVE-2026-4001 is a remote code execution vulnerability in the Woocommerce Custom Product Addons Pro plugin for WordPress, affecting all versions up to and including 5.4.1. The flaw exists in the process_custom_formula() function within includes/process/price.php, where user-submitted field values for custom pricing formulas are passed directly to PHP's eval() function without adequate sanitization or validation. The plugin's sanitize_values() method only strips HTML tags but does not escape single quotes or block PHP code injection, enabling attackers to inject and execute arbitrary code.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By submitting a specially crafted value to a WCPA text field configured for custom pricing (pricingType: "custom" with {this.value}), they can trigger the unsafe eval() execution. Successful exploitation grants full control over the server, including high confidentiality, integrity, and availability impacts, as reflected in the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code).

Mitigation guidance is available in advisories from the plugin vendor at https://acowebs.com/woo-custom-product-addons/ and Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/70a2b6ff-defc-4722-9af9-3cae94e98632?source=cve.

Details

CWE(s): CWE-95

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-4001 enables unauthenticated remote code execution via unsanitized input to PHP eval() in a public-facing WordPress plugin, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://acowebs.com/woo-custom-product-addons/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/70a2b6ff-defc-4722-9af9-3cae94e98632?source=cve
security@wordfence.com