Attack Vectors

Woocommerce Custom Product Addons Pro (slug: woo-custom-product-addons-pro) is affected by a Critical vulnerability (CVSS 9.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) tracked as CVE-2026-4001.

The risk is highest for organizations running WooCommerce stores that expose product pages and checkout flows to the public. Because the issue is described as unauthenticated remote code execution, an attacker does not need a valid customer account to attempt exploitation—meaning the primary “attack surface” is simply the public-facing storefront where product add-ons and pricing calculations occur.

Security Weakness

According to the published details, the plugin evaluates a “custom pricing formula” using PHP’s eval() inside process_custom_formula() (file: includes/process/price.php). The input values used in that formula are not sufficiently sanitized or validated before being passed into eval().

While the plugin’s sanitize_values() method strips HTML tags, the advisory indicates it does not properly escape single quotes or prevent PHP code injection. In practical terms, this creates a pathway for an attacker to inject server-side code through user-submitted fields that influence pricing formulas.

Source reference: Wordfence vulnerability advisory.

Technical or Business Impacts

This is a Critical issue because successful exploitation can enable an attacker to execute arbitrary code on the web server. For business leaders, that translates into immediate and material risk across confidentiality, integrity, and availability.

Business impacts may include:

• Full site compromise: attackers may gain control of the WordPress environment and potentially pivot to other systems reachable from the server.
• Data exposure and compliance risk: unauthorized access to customer data, order records, or other sensitive information can trigger regulatory notifications and contractual obligations.
• Revenue loss and operational disruption: attackers can take the storefront offline, redirect transactions, manipulate pricing, or interrupt checkout—directly impacting sales and marketing campaigns.
• Brand and customer trust damage: public disclosure of compromise can reduce conversion rates and increase churn, especially for DTC and subscription businesses.
• Incident response and recovery costs: emergency forensic work, remediation, legal review, customer communications, and increased security spend can quickly exceed the cost of proactive patching.

Remediation: Update Woocommerce Custom Product Addons Pro to version 5.4.2 or newer patched version as advised. In parallel, consider short-term risk reduction steps such as limiting exposure of add-on/custom pricing functionality where feasible and ensuring you have recent, restorable backups and security monitoring in place.

Similar Attacks

Remote code execution vulnerabilities have repeatedly been used to compromise organizations at scale. Examples include:

• Apache Struts RCE (CVE-2017-5638) — widely associated with high-impact exploitation across public-facing applications.
• Log4Shell (CVE-2021-44228) — a major, broadly exploited RCE affecting internet-exposed systems.
• WordPress File Manager RCE (CVE-2020-25213) — an example of how plugin flaws can lead to full WordPress site takeover.