CVE-2026-4001

Name of the Vulnerable Software and Affected Versions Woocommerce Custom Product Addons Pro versions prior to 5.4.2

Description The Woocommerce Custom Product Addons Pro plugin for WordPress is susceptible to Remote Code Execution. This occurs because of inadequate sanitization and validation of user-supplied field values before they are passed to PHP's eval() function. The sanitize values() method removes HTML tags but does not escape single quotes or prevent PHP code injection. This allows unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with a custom pricing formula (pricingType: "custom" with {this.value}). The vulnerable code resides in the process custom formula() function within the includes/process/price.php file.

Recommendations Versions prior to 5.4.2 should be updated.