Wordpress RCE (CVE-2026-4001)

Overview

A critical security vulnerability has been discovered in the WooCommerce Custom Product Addons Pro plugin for WordPress. Tracked as CVE-2026-4001, this flaw allows unauthenticated attackers to execute arbitrary code on your web server, potentially leading to a complete site takeover.

Vulnerability Details

The vulnerability exists in the plugin’s custom pricing feature. When a product uses a custom pricing formula, user input from specific text fields is processed by a dangerous PHP function called eval(). The plugin’s sanitization routine is insufficient; it only removes HTML tags but fails to prevent the injection of malicious PHP code. This means an attacker can submit a specially crafted value that the server will execute as code.

Exploitation is straightforward. An attacker simply needs to find a WooCommerce product page that uses the plugin’s “custom” pricing type and submit their malicious payload through the vulnerable text field. No login or special privileges are required.

Potential Impact

The impact of this vulnerability is severe. Successful exploitation grants an attacker the ability to run any code they wish on your web server. This could lead to:

• Complete compromise of your WordPress site and server.
• Theft of sensitive customer data, including personal and payment information.
• Installation of backdoors, malware, or ransomware.
• Defacement of your website or use of your server for attacks on other systems.

Such incidents can result in significant financial loss, legal liability, and severe reputational damage. For context on the risks of data theft, recent incidents are documented in our breach reports.

Remediation and Mitigation

Immediate Action Required:

1. Update Immediately: The primary fix is to update the WooCommerce Custom Product Addons Pro plugin to the latest version (beyond 5.4.1) as soon as the developer releases a patched update. Enable auto-updates for this plugin if possible.
2. Temporary Mitigation: If an update is not immediately available, you must disable the plugin entirely. The risk of leaving it active is extreme. Navigate to WordPress Plugins and deactivate “WooCommerce Custom Product Addons Pro.”
3. Investigate for Compromise: If your site has been running a vulnerable version, assume it may have been compromised. Scan for unknown files, suspicious admin users, or unexpected code. Consider professional incident response services.

Stay informed about emerging threats by following the latest security news. For any website using this plugin, addressing CVE-2026-4001 is the highest priority security task.