Scan free
CRITICALCVE-2026-4001CVSS 9.8

OpenClaw OAuth PKCE Vulnerability (CVE-2026-4001)

Platform

wordpress

Component

woo-custom-product-addons-pro

Fixed in

5.4.2

AI Confidence: highNVDEPSS 0.2%Reviewed: Apr 2026
View on NVD
Save

The OpenClaw OAuth flow before version 2026.4.2 improperly reused the PKCE verifier as the OAuth state value, leading to a potential information disclosure. This allows an attacker who can intercept the redirect URL to obtain both the authorization code and the PKCE verifier, effectively bypassing PKCE's protection. Versions affected include those prior to 2026.4.1, and a patch is available in version 2026.4.2.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

CVE-2026-4001 in the WooCommerce Custom Product Addons Pro plugin represents a critical Remote Code Execution (RCE) risk for WordPress websites using it. The flaw lies within the processcustomformula() function in includes/process/price.php, specifically in the use of the eval() function to process custom pricing formulas. Insufficient sanitization and validation of user-submitted field values before passing them to eval() allows an attacker to inject malicious PHP code. An attacker could exploit this vulnerability to execute arbitrary commands on the server, potentially compromising the entire website, including the database, files, and the ability to steal sensitive user information. The CVSS score of 9.8 indicates an extremely high severity.

Exploitation Context

The vulnerability is exploitable through the WordPress admin interface, specifically when modifying or creating products with custom pricing options that utilize formulas. An attacker with user access (even with limited privileges) can inject malicious PHP code within the price formula. Execution of this code occurs when the website processes the formula, allowing the attacker to execute arbitrary commands on the server. The complexity of exploitation is relatively low, as it doesn't require advanced technical skills. The likelihood of exploitation is high, given the plugin's popularity and the ease with which malicious code can be injected. The lack of input validation is the key factor enabling exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.18% (40% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentwoo-custom-product-addons-pro
Vendorwordfence
Affected rangeFixed in
0 – 5.4.15.4.2

Weakness Classification (CWE)

CWE-95

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The immediate solution is to update the WooCommerce Custom Product Addons Pro plugin to version 5.4.2 or higher. This version corrects the vulnerability by implementing more robust validation and sanitization of input data before it's used in the eval() function. If updating isn’t immediately possible, temporarily disabling the plugin or restricting access to the custom formula function to authorized users is recommended. Regularly performing security audits of the website and keeping all WordPress components (core, themes, and plugins) updated is also crucial to mitigate other potential risks. Implementing a Web Application Firewall (WAF) is also recommended to detect and block exploitation attempts.

How to fix

Update to version 5.4.2, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-4001 — Remote Code Execution (RCE) in Woocommerce Custom Product Addons Pro?

RCE means an attacker can execute arbitrary code on a remote server, giving them control over the system.

Am I affected by CVE-2026-4001 in Woocommerce Custom Product Addons Pro?

If you are using a version prior to 5.4.2 of the WooCommerce Custom Product Addons Pro plugin, you are vulnerable.

How do I fix CVE-2026-4001 in Woocommerce Custom Product Addons Pro?

Immediately change all passwords, perform a full security audit, and consider restoring from a clean backup.

Is CVE-2026-4001 being actively exploited?

You can temporarily disable the plugin or restrict access to the custom formula function.

Where can I find the official Woocommerce Custom Product Addons Pro advisory for CVE-2026-4001?

Keep all WordPress components updated, use strong passwords, and perform regular security audits.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs