Code Injection Vulnerability in Product Addons for WooCommerce Plugin
CVE-2026-2296

7.2HIGH

Key Information:

Vendor: WordPress
Status: Product Addons For WooCommerce – Product Options With Custom Fields
Vendor: CVE Published:; 18 February 2026

What is CVE-2026-2296?

The Product Addons for WooCommerce plugin for WordPress is susceptible to a code injection vulnerability found in all versions up to and including 3.1.0. This issue arises from inadequate input validation in the 'operator' field of conditional logic rules within the evalConditions() function. Due to this vulnerability, authenticated attackers with Shop Manager-level or higher access can inject and execute arbitrary PHP code on the server by manipulating the conditional logic 'operator' parameter when saving addon form field rules. It highlights the necessity for robust input validation and security measures to protect against unauthorized code execution.

Affected Version(s)

Product Addons for Woocommerce – Product Options with Custom Fields 0 <= 3.1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woo-custom-pro...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Feb 10, 2026

Credit

Phap Nguyen Anh

CVE-2026-2296 Data

JSON