Primary

Context

Woocommerce Custom Product Addons Pro Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in the Woocommerce Custom Product Addons Pro plugin for WordPress, affecting all versions prior to 5.4.1. The issue arises in the process_custom_formula() function within includes/process/price.php, where user-submitted values are inadequately sanitized before being evaluated by PHP's eval() function. Although the sanitize_values() method removes HTML tags, it fails to escape single quotes or block PHP code injection. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server by sending a manipulated value to a WCPA text field that uses a custom pricing formula.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server.

Remediation

Users are advised to update the Woocommerce Custom Product Addons Pro plugin to version 5.4.2 or later.

Added: Mar 24, 2026, 12:21 AM

Updated: Mar 24, 2026, 12:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

4.6

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

4.6

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Woocommerce Custom Product Addons Pro Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating