{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/custom-product-addons-pro-plugin/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Custom Product Addons Pro plugin"],"_cs_severities":["critical"],"_cs_tags":["wordpress","woocommerce","rce","code-injection","cve-2026-4001"],"_cs_type":"advisory","_cs_vendors":["Woocommerce"],"content_html":"\u003cp\u003eThe Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution (RCE) in versions up to and including 5.4.1. This vulnerability, identified as CVE-2026-4001, stems from a flaw in the \u003ccode\u003eprocess_custom_formula()\u003c/code\u003e function within \u003ccode\u003eincludes/process/price.php\u003c/code\u003e. The plugin fails to adequately sanitize and validate user-submitted field values before passing them to PHP's \u003ccode\u003eeval()\u003c/code\u003e function, specifically when a custom pricing formula is used. The \u003ccode\u003esanitize_values()\u003c/code\u003e method only strips HTML tags and does not escape single quotes or prevent PHP code injection. This vulnerability enables unauthenticated attackers to inject and execute arbitrary PHP code on the server. Successful exploitation can lead to complete server compromise, data exfiltration, and denial of service. Defenders should be aware of potential exploitation attempts targeting this vulnerability to prevent unauthorized access and maintain system integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version (\u0026lt;=5.4.1) of the Woocommerce Custom Product Addons Pro plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker locates a product page with a WCPA text field configured with a custom pricing formula (pricingType: \u0026quot;custom\u0026quot; with {this.value}).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing PHP code designed for remote code execution. This payload is injected into the WCPA text field.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the form with the crafted payload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eprocess_custom_formula()\u003c/code\u003e function in \u003ccode\u003eincludes/process/price.php\u003c/code\u003e receives the unsanitized input.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esanitize_values()\u003c/code\u003e method strips HTML tags but fails to prevent PHP code injection due to insufficient escaping of single quotes and other special characters.\u003c/li\u003e\n\u003cli\u003eThe malicious payload is then passed to the \u003ccode\u003eeval()\u003c/code\u003e function, which executes the injected PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves Remote Code Execution (RCE) on the server, potentially gaining the ability to execute system commands, install malware, or steal sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4001 allows unauthenticated attackers to execute arbitrary code on the targeted WordPress server. This can lead to complete server compromise, allowing attackers to gain full control over the website and its data. Potential impacts include defacement of the website, theft of sensitive customer data, installation of backdoors for persistent access, and use of the server for malicious activities such as spamming or hosting phishing sites. Given the popularity of Woocommerce, a large number of e-commerce sites are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security patches or upgrade to a version of the Woocommerce Custom Product Addons Pro plugin that addresses CVE-2026-4001, specifically versions greater than 5.4.1.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for suspicious POST requests to WordPress pages containing WCPA text fields with custom pricing formulas, using the provided Sigma rule targeting \u003ccode\u003ecs-uri-query\u003c/code\u003e in webserver logs.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures beyond HTML tag stripping to prevent code injection, particularly for fields passed to PHP's \u003ccode\u003eeval()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor file system changes in the WordPress plugins directory (\u003ccode\u003e/wp-content/plugins/\u003c/code\u003e) for unauthorized modifications or new file creations using file integrity monitoring tools.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T10:00:00Z","date_published":"2024-01-29T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-woocommerce-rce/","summary":"The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution (RCE) due to insufficient sanitization of user-submitted field values, allowing unauthenticated attackers to execute arbitrary code via crafted WCPA text fields.","title":"Woocommerce Custom Product Addons Pro Plugin RCE Vulnerability (CVE-2026-4001)","url":"https://feed.craftedsignal.io/briefs/2024-01-woocommerce-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Custom Product Addons Pro Plugin","version":"https://jsonfeed.org/version/1.1"}