CVE-2026-2296
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
The Product Addons for Woocommerce - Product Options with Custom Fields plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 3.1.0. This is due to insufficient input validation of the 'operator' field in conditional logic rules within the evalConditions() function, which passes unsanitized user input directly to PHP's eval() function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject and execute arbitrary PHP code on the server via the conditional logic 'operator' parameter when saving addon form field rules.
Analysis
Arbitrary PHP code execution in Product Addons for WooCommerce plugin (versions up to 3.1.0) through unsafe use of eval() on unsanitized conditional logic operators allows Shop Manager-level and higher-privileged WordPress users to execute malicious code on affected servers. The vulnerability stems from insufficient input validation in the evalConditions() function where user-supplied operator parameters are passed directly to PHP's eval() without sanitization. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all WordPress installations for the vulnerable plugin and document affected systems. Within 7 days: Disable the plugin on all affected sites if business-critical functionality allows, or implement WAF rules to block malicious payloads targeting the plugin. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today