cleantalk
Vulnerabilities and Security Researches

Product Addons for Woocommerce – Product Options with Custom Fields, CVE-2026-2296

CVE, Research URL

CVE-2026-2296

Home page URL

Security reports for Product Addons for Woocommerce – Product Options with Custom Fields

Application

Product Addons for Woocommerce – Product Options with Custom Fields

Published on
Feb 18, 2026
Research Description
The Product Addons for Woocommerce – Product Options with Custom Fields plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 3.1.0. This is due to insufficient input validation of the 'operator' field in conditional logic rules within the evalConditions() function, which passes unsanitized user input directly to PHP's eval() function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject and execute arbitrary PHP code on the server via the conditional logic 'operator' parameter when saving addon form field rules.
Affected versions
max 3.1.1.
Status
vulnerable
Previous vulnerability researches
Product Addons for Woocommerce – Product Options with Custom Fields (CVE-2026-2296) , Apr 15, 2026
New vulnerability
Timeline Event History (CVE-2026-1127) , Apr 15, 2026
Beaver Builder – WordPress Page Builder (CVE-2026-1231) , Apr 15, 2026
CubeWP – All-in-One Dynamic Content Framework (CVE-2025-6461) , Apr 15, 2026
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF (CVE-2026-1246) , Apr 15, 2026
NextScripts: Social Networks Auto-Poster (CVE-2026-3228) , Apr 15, 2026