What is CVE-2026-4001?

CVE-2026-4001 is a critical-severity vulnerability in Acowebs Woocommerce Custom Product Addons Pro, classified under Eval Injection. CVSS score: 9.8/10. Published 2026-03-23.

How severe is CVE-2026-4001?

Critical severity. CVSS v3 base score is 9.8 out of 10.

RCE in Acowebs Woocommerce Custom Product Addons Pro

CVE-2026-4001

The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within include…

EPSS: 0.002 (43.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Acowebs Woocommerce Custom Product Addons Pro — versions 0

Weakness classification (CWE)

CWE-95 — Eval Injection

References

www.wordfence.com/threat-intel/vulnerabilities/id/70a2b6ff-defc-4722-9af9-3cae9…
acowebs.com/woo-custom-product-addons/

Frequently asked questions

What is CVE-2026-4001?: CVE-2026-4001 is a critical-severity vulnerability in Acowebs Woocommerce Custom Product Addons Pro, classified under Eval Injection. CVSS score: 9.8/10. Published 2026-03-23.
How severe is CVE-2026-4001?: Critical severity. CVSS v3 base score is 9.8 out of 10.