CVE-2026-4001 is a critical remote code execution vulnerability in the Woocommerce Custom Product Addons Pro WordPress plugin (up to version 5.4.1). The issue stems from the process_custom_formula() function in includes/process/price.php, which uses PHP's eval() on user-submitted custom pricing formulas without sufficient sanitization. The sanitize_values() method removes HTML tags but does not escape single quotes or prevent PHP code injection, enabling unauthenticated attackers to inject and execute arbitrary PHP code by submitting crafted input to a text field configured with a custom pricing formula (pricingType: "custom" with {this.value}). This vulnerability is classified as CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code).

Successful exploitation allows unauthenticated remote attackers to execute arbitrary PHP code on the affected server, leading to full compromise of confidentiality, integrity, and availability of the system hosting the vulnerable plugin. This can result in data theft, site defacement, malware deployment, or complete server takeover. The CVSS 3.1 base score of 9.8 reflects the high impact and ease of exploitation (network attack vector, no privileges or user interaction required).

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, it is recommended to disable or remove the Woocommerce Custom Product Addons Pro plugin if custom pricing formulas are used, or avoid using the custom pricing formula feature to prevent exploitation. Monitor vendor channels for updates and apply official patches promptly once available.