CVE-2026-4001
Published: 24 March 2026
Summary
CVE-2026-4001 is a critical-severity Eval Injection (CWE-95) vulnerability in Acowebs (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE's root cause by requiring validation and sanitization of user-submitted values in custom pricing fields before passing to PHP's eval() function.
Ensures timely remediation of the flaw in Woocommerce Custom Product Addons Pro versions up to 5.4.1 through patching or upgrades as per vendor advisories.
Vulnerability scanning detects the RCE flaw (CVE-2026-4001) in the plugin, enabling proactive mitigation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-4001 enables unauthenticated remote code execution via unsanitized input to PHP eval() in a public-facing WordPress plugin, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient…
more
sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" with {this.value}).
Deeper analysisAI
CVE-2026-4001 is a remote code execution vulnerability in the Woocommerce Custom Product Addons Pro plugin for WordPress, affecting all versions up to and including 5.4.1. The flaw exists in the process_custom_formula() function within includes/process/price.php, where user-submitted field values for custom pricing formulas are passed directly to PHP's eval() function without adequate sanitization or validation. The plugin's sanitize_values() method only strips HTML tags but does not escape single quotes or block PHP code injection, enabling attackers to inject and execute arbitrary code.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By submitting a specially crafted value to a WCPA text field configured for custom pricing (pricingType: "custom" with {this.value}), they can trigger the unsafe eval() execution. Successful exploitation grants full control over the server, including high confidentiality, integrity, and availability impacts, as reflected in the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code).
Mitigation guidance is available in advisories from the plugin vendor at https://acowebs.com/woo-custom-product-addons/ and Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/70a2b6ff-defc-4722-9af9-3cae94e98632?source=cve.
Details
- CWE(s)