Plattform
wordpress
Komponente
woo-custom-product-addons
Behoben in
3.1.1
CVE-2026-2296 describes a code injection vulnerability discovered in the Product Addons for Woocommerce – Product Options with Custom Fields plugin for WordPress. This flaw allows authenticated attackers with Shop Manager-level access or higher to execute arbitrary PHP code on the server. The vulnerability affects versions 0.0.0 through 3.1.0, and a patch is available in version 3.1.1.
The impact of this vulnerability is significant. An attacker who can exploit this code injection flaw can gain complete control over the WordPress server hosting the affected WooCommerce store. This could lead to data breaches, website defacement, malware installation, and potentially compromise other systems on the same network. The ability to execute arbitrary PHP code bypasses standard WordPress security measures, making it a high-risk vulnerability. The reliance on eval() without proper sanitization is a common attack vector, similar to vulnerabilities seen in other PHP applications where user-supplied data is directly incorporated into code execution.
CVE-2026-2296 was publicly disclosed on 2026-02-18. There is no indication of active exploitation at this time, but the availability of a public CVE and the ease of exploitation (requiring only Shop Manager access) suggest a potential for future attacks. The EPSS score is likely to be medium, reflecting the vulnerability's severity and potential for exploitation. No KEV listing is currently available.
WooCommerce store owners using the Product Addons for Woocommerce – Product Options with Custom Fields plugin are at risk. Specifically, those running versions 0.0.0 through 3.1.0 are vulnerable. Shared hosting environments where multiple WordPress installations share the same server resources are particularly susceptible, as a compromise of one site could potentially impact others.
• wordpress / plugin:
wp plugin list | grep 'Product Addons for Woocommerce'• wordpress / plugin: Check plugin version. If < 3.1.1, the system is vulnerable.
wp plugin version Product Addons for Woocommerce• wordpress / plugin: Examine the evalConditions() function in the plugin's code for unsanitized user input.
• wordpress / server: Review WordPress access logs for suspicious requests containing PHP code in the 'operator' parameter within conditional logic settings.
disclosure
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-2296 is to immediately upgrade the Product Addons for Woocommerce – Product Options with Custom Fields plugin to version 3.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the conditional logic settings within the plugin to prevent unauthorized modifications. While not a complete solution, a Web Application Firewall (WAF) configured to block requests containing suspicious PHP code in the 'operator' parameter could provide an additional layer of defense. Regularly review plugin configurations and user permissions to minimize the attack surface.
Aktualisieren Sie auf Version 3.1.1 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-2296 is a code injection vulnerability affecting the Product Addons for Woocommerce plugin, allowing attackers with Shop Manager access to execute arbitrary PHP code.
Yes, if you are using Product Addons for Woocommerce versions 0.0.0 through 3.1.0, you are vulnerable to this code injection flaw.
Upgrade the Product Addons for Woocommerce plugin to version 3.1.1 or later to resolve the vulnerability.
There is currently no evidence of active exploitation, but the vulnerability's severity and ease of exploitation suggest a potential for future attacks.
Refer to the official Product Addons for Woocommerce documentation and WordPress security announcements for the latest advisory information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.