Login Sign Up

CVE-2026-2296

7.2 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated attackers with Shop Manager or higher WordPress roles to execute arbitrary PHP code on the server. The flaw exists in the Product Addons for Woocommerce plugin where user input is passed directly to PHP's eval() function without proper validation. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • Product Addons for Woocommerce – Product Options with Custom Fields WordPress plugin
Versions: All versions up to and including 3.1.0
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user with Shop Manager role or higher. All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, malware installation, website defacement, or ransomware deployment.

🟠

Likely Case

Unauthorized code execution allowing data exfiltration, backdoor installation, or privilege escalation within the WordPress environment.

🟢

If Mitigated

Limited impact if proper role-based access controls and input validation are implemented, though the vulnerability still exists.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is in publicly available code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.1 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/woo-custom-product-addons

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Product Addons for Woocommerce'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.1.1+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the plugin until patched version can be installed

wp plugin deactivate woo-custom-product-addons

Restrict user roles

all

Review and limit Shop Manager and Administrator roles to trusted users only

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block eval() function calls in POST requests
  • Enable strict file integrity monitoring and limit PHP execution capabilities for the plugin directory

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → Product Addons for Woocommerce version. If version is 3.1.0 or lower, you are vulnerable.

Check Version:

wp plugin get woo-custom-product-addons --field=version

Verify Fix Applied:

After updating, verify plugin version is 3.1.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /wp-admin/admin-ajax.php with 'operator' parameter containing PHP code
  • Unexpected PHP eval() calls in web server logs
  • New files created in wp-content/plugins/woo-custom-product-addons directory

Network Indicators:

  • HTTP POST requests containing PHP code snippets in parameters
  • Unusual outbound connections from web server following plugin-related requests

SIEM Query:

source="web_server_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND request_body CONTAINS "eval(" OR request_body CONTAINS "base64_decode(")

📊 Metadata

CVE ID: CVE-2026-2296
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: February 18, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2296, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)