Home / Vulnerability Intelligence / CVE-2026-4001

CVE-2026-4001 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 24, 2026

Woocommerce Custom Product Addons Pro - Remote Code Execution

Published: March 24, 2026Updated: March 24, 2026Remote Exploitable

Overview

Woocommerce Custom Product Addons Pro for WordPress <= 5.4.1 contains a remote code execution caused by insufficient sanitization of user-submitted field values in custom pricing formula eval() in process_custom_formula(), letting unauthenticated attackers execute arbitrary code remotely, exploit requires crafted input in custom pricing formula field.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 13.9%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can execute arbitrary code on the server, potentially leading to full system compromise.

Mitigation

Update to the latest version of Woocommerce Custom Product Addons Pro.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 24, 2026

🔴 CVE-2026-4001 - Critical (9.8) The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/proces... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4001/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-4001
Severity: Critical
CVSS Score: 9.8
Type: command_injection
Status: unconfirmed
EPSS: 13.9%
Social Posts: 1

CWE

CWE-95

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

13.9%Probability of exploitation in the next 30 days