CVE-2026-2296 is a code injection vulnerability categorized under CWE-94 that affects the Product Addons for Woocommerce – Product Options with Custom Fields plugin for WordPress, specifically all versions up to and including 3.1.0. The root cause is insufficient input validation of the 'operator' field used in conditional logic rules within the evalConditions() function. This field is passed directly and unsanitized to PHP's eval() function, which evaluates the input as PHP code. Because eval() executes arbitrary code, an attacker with authenticated access at the Shop Manager level or above can craft malicious input in the 'operator' parameter to inject and execute arbitrary PHP code on the server hosting the WordPress site. This can lead to full compromise of the web server, including data theft, defacement, or pivoting to internal networks. The vulnerability requires no user interaction beyond authentication and has a CVSS 3.1 base score of 7.2, indicating high severity with network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. No known public exploits have been reported yet, but the presence of eval() with unsanitized input is a critical security anti-pattern that is often targeted by attackers. The vulnerability affects all versions of the plugin up to 3.1.0, and no official patches or updates are currently linked, so mitigation relies on access control and monitoring until a fix is released.

For European organizations, this vulnerability poses a significant risk to e-commerce platforms running WordPress with the affected plugin. Exploitation can lead to unauthorized code execution on web servers, resulting in data breaches involving customer information, payment details, and intellectual property. It can also cause service disruption through defacement or denial of service, damaging brand reputation and customer trust. Given the widespread use of WooCommerce in Europe, especially in countries with strong e-commerce sectors like Germany, the UK, France, and the Netherlands, the potential impact is considerable. Attackers gaining Shop Manager-level access could leverage this vulnerability to escalate privileges, move laterally within networks, and compromise backend systems. The vulnerability also raises compliance risks under GDPR due to potential exposure of personal data. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers often develop exploits rapidly once vulnerabilities are disclosed.

European organizations should immediately audit their WordPress installations to identify the use of the affected Product Addons for Woocommerce plugin versions. Until an official patch is released, organizations should restrict Shop Manager and higher privileges to only trusted personnel and review user roles to minimize the number of accounts with such access. Implementing strict input validation and sanitization at the application level, if possible, can reduce risk. Deploy web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'operator' parameter in conditional logic rules. Regularly monitor logs for unusual activity related to plugin configuration changes. Consider temporarily disabling the plugin or the conditional logic feature if feasible. Organizations should also prepare for rapid patch deployment once the vendor releases a fix and conduct penetration testing to verify the effectiveness of mitigations. Backup critical data and have incident response plans ready in case of exploitation.