WordPress Security Bulletin: Woocommerce Custom Product Addons Pro Plugin Vulnerability (CVE-2026-4001)

Security Alert Summary

The Woocommerce Custom Product Addons Pro plugin for WordPress contains a remote code execution vulnerability in how it processes custom pricing formulas. Insufficient sanitization and validation allow unauthenticated attackers to inject PHP code via a text field configured with a custom pricing formula, which may lead to arbitrary code execution on the server.

CVE Details

• CVE ID: CVE-2026-4001
• Affected component: Woocommerce Custom Product Addons Pro plugin for WordPress
• Affected versions: All versions up to and including 5.4.1
• Published: March 24, 2026 at 12:16 AM
• Last modified: March 24, 2026 at 3:53 PM
• CVSS v3.1: Base Score 9.8, Severity: CRITICAL, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• Authentication / Privileges / User Interaction: None required (Network attack, No privileges, No user interaction)
• Primary impact: Confidentiality: High; Integrity: High; Availability: High
• CWE: CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code)

Technical Details

The vulnerability is a Remote Code Execution (RCE) caused by the plugin using PHP’s eval() to process a custom pricing formula. The issue exists in the process_custom_formula() function located in includes/process/price.php. User-submitted values intended for pricing calculation are passed to eval() without sufficient validation or escaping.

The plugin’s sanitize_values() method removes HTML tags but does not escape single quotes or otherwise prevent PHP code from being injected. When a WCPA text field is configured with pricingType: "custom" and a formula containing {this.value}, an attacker can supply a crafted value that results in arbitrary PHP code execution when the formula is evaluated.

Because the vulnerability allows code execution from unauthenticated input and is invoked via the plugin’s pricing formula processing, successful exploitation can execute arbitrary server-side code. The description and metadata do not specify an available exploit or patch status; remediation details should be obtained from the plugin vendor and security advisories.

How This Could Impact Your Website

In a typical WordPress environment, multiple users interact with the site: a site owner who manages plugins and settings, internal staff who add products and configure product fields, and external contractors or contributors who may edit product content. If an attacker submits a crafted value to a WCPA text field configured for a custom pricing formula, the resulting code execution could allow the attacker to run server-side commands, read or modify site files, or access stored data depending on server permissions.

Practical consequences may include unauthorized access to sensitive data, modification of product prices or content, and increased potential for targeted phishing if user emails or contact data are exposed. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributors and other users who can edit product fields.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins from the site.
• Monitor site activity and logs for unusual behavior, especially changes to product fields or unexpected PHP errors.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://acowebs.com/woo-custom-product-addons/
• https://www.wordfence.com/threat-intel/vulnerabilities/id/70a2b6ff-defc-4722-9af9-3cae94e98632?source=cve