CVE-2026-4001 is a critical vulnerability classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code, also known as Eval Injection) found in the Woocommerce Custom Product Addons Pro plugin for WordPress. The vulnerability exists in all versions up to and including 5.4.1 within the process_custom_formula() function located in includes/process/price.php. This function uses PHP's eval() to process custom pricing formulas submitted via user input fields. The sanitize_values() method attempts to sanitize input by stripping HTML tags but fails to escape single quotes or otherwise prevent injection of PHP code. Consequently, an attacker can submit specially crafted input to a WCPA text field configured with a custom pricing formula (pricingType: "custom" with {this.value}) to execute arbitrary PHP code remotely on the server. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely over the network. The CVSS v3.1 base score is 9.8, indicating critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact includes full compromise of the affected server, allowing attackers to execute arbitrary commands, steal data, modify content, or disrupt service. No official patches or fixes are linked yet, and no known exploits are publicly reported, but the risk remains urgent due to the plugin's popularity in e-commerce environments.

The impact of CVE-2026-4001 is severe for organizations running WordPress sites with the Woocommerce Custom Product Addons Pro plugin. Successful exploitation leads to remote code execution, granting attackers full control over the affected server environment. This can result in data theft, website defacement, installation of backdoors or malware, lateral movement within internal networks, and complete service disruption. E-commerce sites are particularly at risk as attackers could manipulate pricing, steal customer payment information, or disrupt sales operations. The vulnerability requires no authentication or user interaction, increasing the likelihood of automated exploitation and widespread attacks. Given WooCommerce's extensive use globally, this vulnerability poses a significant threat to online retailers, service providers, and any organization relying on this plugin for product customization. The potential for reputational damage, financial loss, and regulatory penalties is high if exploited.

Immediate mitigation steps include disabling the custom pricing formula feature in the Woocommerce Custom Product Addons Pro plugin until a vendor patch is released. Administrators should restrict access to the affected plugin's configuration and input fields by implementing web application firewall (WAF) rules that block suspicious payloads containing PHP code or special characters like single quotes in pricing formula inputs. Employing input validation and sanitization at the web server or application firewall level can help prevent malicious input from reaching the eval() function. Monitoring logs for unusual POST requests targeting the plugin's endpoints is critical for early detection. If possible, isolate the WordPress environment to limit the impact of a potential compromise. Organizations should track vendor advisories for official patches and apply them promptly once available. Additionally, consider employing runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block exploitation attempts in real time.