CVE-2026-4001: WooCommerce Custom Product Addons RCE Flaw

CVE-2026-4001 Overview

The WooCommerce Custom Product Addons Pro plugin for WordPress contains a critical Remote Code Execution (RCE) vulnerability affecting all versions up to and including 5.4.1. The vulnerability exists in the custom pricing formula functionality, specifically within the process_custom_formula() function located in includes/process/price.php. Insufficient input sanitization allows unauthenticated attackers to inject and execute arbitrary PHP code on vulnerable WordPress installations.

Critical Impact

Unauthenticated attackers can achieve full server compromise by injecting malicious PHP code through product addon text fields configured with custom pricing formulas, potentially leading to complete website takeover, data theft, and lateral movement within hosting environments.

Affected Products

• WooCommerce Custom Product Addons Pro versions up to and including 5.4.1
• WordPress installations using vulnerable WCPA Pro versions with custom pricing formulas enabled
• E-commerce sites utilizing pricingType: "custom" configuration with {this.value} templates

Discovery Timeline

• 2026-03-24 - CVE CVE-2026-4001 published to NVD
• 2026-03-24 - Last updated in NVD database

Technical Details for CVE-2026-4001

Vulnerability Analysis

This vulnerability is classified as CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), commonly known as PHP Code Injection or eval() Injection. The core issue stems from the plugin's handling of user-supplied input within custom pricing calculations.

When a product is configured to use custom pricing formulas (specifically when pricingType is set to "custom" and the formula includes {this.value}), user-submitted field values are processed through the sanitize_values() method before being passed to PHP's eval() function. While the sanitization method strips HTML tags from input, it fails to escape single quotes or properly validate that the input contains only numeric or expected mathematical expressions.

This architectural flaw allows an unauthenticated attacker to submit a specially crafted payload through any WCPA text field that has custom pricing enabled. The malicious input bypasses the inadequate sanitization and is directly evaluated as PHP code, granting the attacker arbitrary code execution capabilities with the privileges of the web server process.

Root Cause

The root cause is the combination of two security failures: First, the sanitize_values() method only performs HTML tag stripping without escaping special characters (particularly single quotes) or implementing a whitelist of permitted characters for mathematical expressions. Second, and more fundamentally, the use of PHP's eval() function to process user-controllable input is inherently dangerous. The plugin passes insufficiently sanitized user input directly to eval() for dynamic pricing calculations, creating a direct code injection pathway. A secure implementation would use a mathematical expression parser or a sandboxed evaluation mechanism rather than native PHP code execution.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker identifies a WordPress site using the vulnerable plugin by locating product pages with WCPA custom addon fields. By analyzing the frontend or testing field behavior, the attacker determines which fields use custom pricing formulas. The attacker then crafts a malicious payload designed to break out of the expected mathematical context within the eval() statement and inject arbitrary PHP code. This payload is submitted through the normal product customization interface, such as adding a product to cart with a manipulated field value. Upon processing the pricing formula, the server executes the injected PHP code. This could include establishing reverse shells, creating backdoor files, exfiltrating database credentials, or any other malicious operation. Since the attack requires no privileges and targets a customer-facing feature, all WordPress sites with the vulnerable plugin and custom pricing enabled are at risk.

Detection Methods for CVE-2026-4001

Indicators of Compromise

• Unusual PHP error logs referencing eval() or process_custom_formula() in includes/process/price.php
• Web server logs showing product requests with abnormal characters in addon field parameters, particularly single quotes, backticks, or PHP function names
• Newly created PHP files in WordPress directories with unfamiliar names or recent timestamps
• Unexpected outbound connections from the web server process to external IP addresses
• Modified .htaccess files or creation of new admin user accounts

Detection Strategies

• Implement Web Application Firewall (WAF) rules to detect and block requests containing PHP code patterns in product addon parameters
• Deploy file integrity monitoring on WordPress installations to detect unauthorized file modifications
• Configure intrusion detection systems to alert on eval() exploitation patterns in HTTP request bodies
• Utilize SentinelOne's behavioral AI to detect anomalous process execution spawned from PHP/web server processes

Monitoring Recommendations

• Enable verbose logging for WooCommerce and WCPA Pro plugin activities
• Monitor web server error logs for PHP parse errors or unexpected eval() failures that may indicate exploitation attempts
• Set up alerts for new file creation events within WordPress wp-content directories
• Implement egress filtering and monitor for unexpected outbound connections from web server processes

How to Mitigate CVE-2026-4001

Immediate Actions Required

• Disable custom pricing formulas on all WCPA Pro addon fields by changing pricingType from "custom" to standard pricing options
• If custom pricing is essential, remove the vulnerable plugin until a patched version is available
• Review WordPress installations for signs of compromise including new user accounts, modified files, or suspicious scheduled tasks
• Implement WAF rules to block requests containing PHP code injection patterns targeting product addon fields

Patch Information

As of the last update on 2026-03-24, users should check the ACOWebs Product Addons page for the latest security updates. Refer to the Wordfence Vulnerability Report for detailed vulnerability intelligence and patch availability notifications. When an update becomes available, test in a staging environment before applying to production, and verify that the patch properly addresses the eval() injection vulnerability by implementing proper input validation or replacing eval() with a secure expression parser.

Workarounds

• Disable the custom pricing formula feature entirely by not using pricingType: "custom" configuration in product addon settings
• Use percentage-based or fixed-price addon configurations instead of formula-based pricing
• Implement server-level input filtering using ModSecurity or similar WAF with rules blocking PHP function names and code patterns in POST data
• Restrict plugin functionality to authenticated administrators only by implementing additional access controls at the server level

# ModSecurity rule to block potential eval() injection attempts
SecRule ARGS "@rx (?:eval|exec|system|passthru|shell_exec|phpinfo)\s*\(" \
    "id:100001,phase:2,deny,status:403,log,msg:'Potential PHP code injection blocked'"