CVE-2026-4001
published 2026-03-24CVE-2026-4001: The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.71%
48.7th percentile
The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" with {this.value}).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| acowebs | woocommerce_custom_product_addons_pro | <= 5.4.1 | — |
| tinacms | cli | >= 0 < 2.1.8 | 2.1.8 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2qpc-rpxq-phv6: The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5
ghsa_unreviewed·2026-03-24
CVE-2026-4001 [CRITICAL] CWE-95 GHSA-2qpc-rpxq-phv6: The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5
The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" with {this.value}).
GHSA
TinaCMS Vulnerable to Path Traversal Leading to Arbitrary File Read, Write and Delete
ghsa·2026-03-12
CVE-2026-28793 [HIGH] CWE-22 TinaCMS Vulnerable to Path Traversal Leading to Arbitrary File Read, Write and Delete
TinaCMS Vulnerable to Path Traversal Leading to Arbitrary File Read, Write and Delete
## Summary
The TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory.
## Details
When running tinacms dev, the CLI starts a local HTTP server (default port 4001) exposing endpoints such as:
- /media/list/*
- /media/upload/*
- /media/*
These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path remains within the configured media directory.
### Vulnerable code
```
bb.on('file', async (_name, file, _info) => {
const fullPath = decodeURI(req.url?.slice('/media/upload/'.length));
const sa
VulnCheck
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
vulncheck·2026·CVSS 9.8
CVE-2026-4001 [CRITICAL] Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" wi
No detection rules found.
No public exploits indexed.
2026-03-24
Published
Exploited in the wild