Home

Description

The Product Addons for Woocommerce – Product Options with Custom Fields plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 3.1.0. This is due to insufficient input validation of the 'operator' field in conditional logic rules within the evalConditions() function, which passes unsanitized user input directly to PHP's eval() function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject and execute arbitrary PHP code on the server via the conditional logic 'operator' parameter when saving addon form field rules.

PUBLISHED Reserved 2026-02-10 | Published 2026-02-18 | Updated 2026-02-18 | Assigner Wordfence




HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unaffected

* (semver)
affected

Timeline

2026-02-10:Vendor Notified
2026-02-17:Disclosed

Credits

Phap Nguyen Anh finder

References

www.wordfence.com/...-2421-4dfa-8775-ca0497759d52?source=cve

plugins.trac.wordpress.org/.../process/conditional-logic.php

plugins.trac.wordpress.org/.../process/conditional-logic.php

plugins.trac.wordpress.org/.../process/conditional-logic.php

plugins.trac.wordpress.org/.../process/conditional-logic.php

plugins.trac.wordpress.org/...t-addons&sfp_email=&sfph_mail=

cve.org (CVE-2026-2296)

nvd.nist.gov (CVE-2026-2296)

Download JSON