CVE-2026-4001 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 24, 2026
Woocommerce Custom Product Addons Pro - Remote Code Execution
Published: March 24, 2026Updated: March 24, 2026Remote Exploitable
Overview
Woocommerce Custom Product Addons Pro for WordPress <= 5.4.1 contains a remote code execution caused by insufficient sanitization of user-submitted field values in custom pricing formula eval() in process_custom_formula(), letting unauthenticated attackers execute arbitrary code remotely, exploit requires crafted input in custom pricing formula field.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Unauthenticated attackers can execute arbitrary code on the server, potentially leading to full system compromise.
Mitigation
Update to the latest version of Woocommerce Custom Product Addons Pro.
References
Related Resources
Details
- CVE ID
- CVE-2026-4001
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- command_injection
- Status
- new
CWE
- CWE-95
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H