cleantalk
Vulnerabilities and Security Researches

Cart All In One For WooCommerce, CVE-2026-2019

CVE, Research URL

CVE-2026-2019

Home page URL

Security reports for Cart All In One For WooCommerce

Application

Cart All In One For WooCommerce

Published on
Feb 18, 2026
Research Description
The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.1.21. This is due to insufficient input validation on the 'Assign page' field which is passed directly to the eval() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server.
Affected versions
max 1.1.22.
Status
vulnerable
Previous vulnerability researches
Cart All In One For WooCommerce (CVE-2026-2019) , Apr 15, 2026
Cart All In One For WooCommerce (CVE-2022-46806) , Jun 07, 2024
New vulnerability
Timeline Event History (CVE-2026-1127) , Apr 15, 2026
Beaver Builder – WordPress Page Builder (CVE-2026-1231) , Apr 15, 2026
CubeWP – All-in-One Dynamic Content Framework (CVE-2025-6461) , Apr 15, 2026
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF (CVE-2026-1246) , Apr 15, 2026
NextScripts: Social Networks Auto-Poster (CVE-2026-3228) , Apr 15, 2026