PluginWoocommerce Custom Product Addons Pro Affected Versions SeverityCRITICAL Active Installsthousands of Sites Found Vulnerable9 (from TrustedWeb scans)

Update the plugin to the latest version from your WordPress dashboard (Plugins → Installed Plugins → Update). Change your admin password if the vulnerability involves authentication or privilege escalation. Scan your website for any signs of compromise or modified files. Review your security headers — many sites we scan are also missing basic headers like HSTS and Content-Security-Policy. Check your…

Is Your Website Running an Unsafe Version of Woocommerce Custom Product Addons Pro?

CRITICAL: A known security vulnerability has been identified in Woocommerce Custom Product Addons Pro. Our recent scans found 9 websites still running the affected version.

What Happened

During our routine security monitoring this week, we identified that Woocommerce Custom Product Addons Pro — a WordPress plugin used by thousands of websites — contains a security vulnerability in certain versions.

The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP’s eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: “custom” with {this.value}).

CVE: CVE-2026-4001

Vulnerability Type: Remote Code Execution

Who Is Affected

Plugin	Woocommerce Custom Product Addons Pro
Affected Versions
Severity	CRITICAL
Active Installs	thousands of
Sites Found Vulnerable	9 (from TrustedWeb scans)

What You Should Do

Update the plugin to the latest version from your WordPress dashboard (Plugins → Installed Plugins → Update).
Change your admin password if the vulnerability involves authentication or privilege escalation.
Scan your website for any signs of compromise or modified files.
Review your security headers — many sites we scan are also missing basic headers like HSTS and Content-Security-Policy.
Check your site’s trust score to see your overall security posture.

How TrustedWeb Detected This

TrustedWeb continuously monitors vulnerability databases and cross-references them with data from our website security scans. This week alone, we analyzed 74 websites and identified outdated plugins, missing security headers, SSL issues, and more.

If you’re unsure whether your website is affected, run a free scan:

Is Your Website Secure?

Run a free security scan to check for vulnerabilities, missing headers, SSL issues, and more.

Scan Your Website Free

About Responsible Disclosure

This vulnerability was reported through coordinated disclosure. The plugin developer was notified and has released a fix. We publish this information only after a patch is available, to help website owners protect themselves without exposing exploit details.

Source: nvd