Platform
wordpress
Component
woo-custom-product-addons-pro
Fixed in
5.4.2
The OpenClaw OAuth flow before version 2026.4.2 improperly reused the PKCE verifier as the OAuth state value, leading to a potential information disclosure. This allows an attacker who can intercept the redirect URL to obtain both the authorization code and the PKCE verifier, effectively bypassing PKCE's protection. Versions affected include those prior to 2026.4.1, and a patch is available in version 2026.4.2.
CVE-2026-4001 in the WooCommerce Custom Product Addons Pro plugin represents a critical Remote Code Execution (RCE) risk for WordPress websites using it. The flaw lies within the processcustomformula() function in includes/process/price.php, specifically in the use of the eval() function to process custom pricing formulas. Insufficient sanitization and validation of user-submitted field values before passing them to eval() allows an attacker to inject malicious PHP code. An attacker could exploit this vulnerability to execute arbitrary commands on the server, potentially compromising the entire website, including the database, files, and the ability to steal sensitive user information. The CVSS score of 9.8 indicates an extremely high severity.
The vulnerability is exploitable through the WordPress admin interface, specifically when modifying or creating products with custom pricing options that utilize formulas. An attacker with user access (even with limited privileges) can inject malicious PHP code within the price formula. Execution of this code occurs when the website processes the formula, allowing the attacker to execute arbitrary commands on the server. The complexity of exploitation is relatively low, as it doesn't require advanced technical skills. The likelihood of exploitation is high, given the plugin's popularity and the ease with which malicious code can be injected. The lack of input validation is the key factor enabling exploitation.
Exploit Status
EPSS
0.18% (40% percentile)
CISA SSVC
CVSS Vector
The immediate solution is to update the WooCommerce Custom Product Addons Pro plugin to version 5.4.2 or higher. This version corrects the vulnerability by implementing more robust validation and sanitization of input data before it's used in the eval() function. If updating isn’t immediately possible, temporarily disabling the plugin or restricting access to the custom formula function to authorized users is recommended. Regularly performing security audits of the website and keeping all WordPress components (core, themes, and plugins) updated is also crucial to mitigate other potential risks. Implementing a Web Application Firewall (WAF) is also recommended to detect and block exploitation attempts.
Update to version 5.4.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
RCE means an attacker can execute arbitrary code on a remote server, giving them control over the system.
If you are using a version prior to 5.4.2 of the WooCommerce Custom Product Addons Pro plugin, you are vulnerable.
Immediately change all passwords, perform a full security audit, and consider restoring from a clean backup.
You can temporarily disable the plugin or restrict access to the custom formula function.
Keep all WordPress components updated, use strong passwords, and perform regular security audits.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.