Product Addons For Woocommerce – Product Options With Custom Fields
Approved changes feed: RSS · Atom
cpe:2.3:a:acowebs:product_addons_for_woocommerce_–_product_options_with_custom_fields:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Acowebs (059c1c2e-0cfa-5908-8b0a-b11cfcd4f8ef) |
|---|---|
| Product | Product Addons For Woocommerce – Product Options With Custom Fields (fd68dff9-4f9d-5346-8515-2f1c11616a8e) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-2296 |
vulnerable | 2026-06-03 15:19:23.945465 |
Product Addons for Woocommerce – Product Options with Custom Fields <= 3.1.0 - Authenticated (Shop Manager+) Code Injection via Conditional Logic 'operator' Parameter
HIGH (7.2)
The Product Addons for Woocommerce – Product Options with Custom Fields plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 3.1.0. This is due to insufficient input validation of the 'operator' field in conditional logic rules within the evalConditions() function, which passes unsanitized user input directly to PHP's eval() function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject and execute arbitrary PHP code on the server via the conditional logic 'operator' parameter when saving addon form field rules.
Published: 2026-02-18T06:42:43.286Z
Updated: 2026-04-08T17:16:46.472Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.