CVE-2026-4001

CRITICAL 9.8

Woocommerce Custom Product Addons Pro <= 5.4.1 - Unauthenticated Remote Code Execution via Custom Pricing Formula

CVSS Score

9.8

EPSS Score

0.2%

EPSS Percentile

40th

The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" with {this.value}).

CWE	CWE-95
Vendor	acowebs
Product	woocommerce custom product addons pro
Published	Mar 23, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for acowebs woocommerce custom product addons pro

Be the first to know when new critical vulnerabilities affecting acowebs woocommerce custom product addons pro are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

acowebs / Woocommerce Custom Product Addons Pro

0 ≤ 5.4.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/70a2b6ff-defc-4722-9af9-3cae94e98632?source=cve acowebs.com: https://acowebs.com/woo-custom-product-addons/

Credits

Ren Voza