<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Custom Product Addons Pro Plugin - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/custom-product-addons-pro-plugin/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/custom-product-addons-pro-plugin/feed.xml" rel="self" type="application/rss+xml"/><item><title>Woocommerce Custom Product Addons Pro Plugin RCE Vulnerability (CVE-2026-4001)</title><link>https://feed.craftedsignal.io/briefs/2024-01-woocommerce-rce/</link><pubDate>Mon, 29 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-woocommerce-rce/</guid><description>The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution (RCE) due to insufficient sanitization of user-submitted field values, allowing unauthenticated attackers to execute arbitrary code via crafted WCPA text fields.</description><content:encoded><![CDATA[<p>The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution (RCE) in versions up to and including 5.4.1. This vulnerability, identified as CVE-2026-4001, stems from a flaw in the <code>process_custom_formula()</code> function within <code>includes/process/price.php</code>. The plugin fails to adequately sanitize and validate user-submitted field values before passing them to PHP's <code>eval()</code> function, specifically when a custom pricing formula is used. The <code>sanitize_values()</code> method only strips HTML tags and does not escape single quotes or prevent PHP code injection. This vulnerability enables unauthenticated attackers to inject and execute arbitrary PHP code on the server. Successful exploitation can lead to complete server compromise, data exfiltration, and denial of service. Defenders should be aware of potential exploitation attempts targeting this vulnerability to prevent unauthorized access and maintain system integrity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a WordPress site using a vulnerable version (&lt;=5.4.1) of the Woocommerce Custom Product Addons Pro plugin.</li>
<li>The attacker locates a product page with a WCPA text field configured with a custom pricing formula (pricingType: &quot;custom&quot; with {this.value}).</li>
<li>The attacker crafts a malicious payload containing PHP code designed for remote code execution. This payload is injected into the WCPA text field.</li>
<li>The attacker submits the form with the crafted payload.</li>
<li>The <code>process_custom_formula()</code> function in <code>includes/process/price.php</code> receives the unsanitized input.</li>
<li>The <code>sanitize_values()</code> method strips HTML tags but fails to prevent PHP code injection due to insufficient escaping of single quotes and other special characters.</li>
<li>The malicious payload is then passed to the <code>eval()</code> function, which executes the injected PHP code.</li>
<li>The attacker achieves Remote Code Execution (RCE) on the server, potentially gaining the ability to execute system commands, install malware, or steal sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-4001 allows unauthenticated attackers to execute arbitrary code on the targeted WordPress server. This can lead to complete server compromise, allowing attackers to gain full control over the website and its data. Potential impacts include defacement of the website, theft of sensitive customer data, installation of backdoors for persistent access, and use of the server for malicious activities such as spamming or hosting phishing sites. Given the popularity of Woocommerce, a large number of e-commerce sites are potentially vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the latest security patches or upgrade to a version of the Woocommerce Custom Product Addons Pro plugin that addresses CVE-2026-4001, specifically versions greater than 5.4.1.</li>
<li>Inspect web server logs for suspicious POST requests to WordPress pages containing WCPA text fields with custom pricing formulas, using the provided Sigma rule targeting <code>cs-uri-query</code> in webserver logs.</li>
<li>Implement input validation and sanitization measures beyond HTML tag stripping to prevent code injection, particularly for fields passed to PHP's <code>eval()</code> function.</li>
<li>Monitor file system changes in the WordPress plugins directory (<code>/wp-content/plugins/</code>) for unauthorized modifications or new file creations using file integrity monitoring tools.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>wordpress</category><category>woocommerce</category><category>rce</category><category>code-injection</category><category>cve-2026-4001</category></item></channel></rss>