Unauthenticated attackers can execute arbitrary PHP code on WordPress sites using the Woocommerce Custom Product Addons Pro plugin, resulting in total server takeover.

The plugin uses the eval() function within process_custom_formula() to handle pricing. Because it fails to properly sanitize user-submitted field values (specifically failing to escape single quotes), an unauthenticated attacker can inject and execute arbitrary PHP code.

A successful exploit grants the attacker full control over the WordPress environment and the underlying web server. This can lead to the theft of customer data, injection of credit card skimmers (Magecart-style), and complete site defacement. The CVSS score of 9.8 indicates a critical risk to the confidentiality and integrity of the e-commerce platform.

Immediate Action: Update the Woocommerce Custom Product Addons Pro plugin to the latest patched version immediately.

Proactive Monitoring: Scan the WordPress filesystem for unauthorized PHP files or modifications to core files. Monitor for unusual outbound network connections from the web server.

Compensating Controls: Use a Web Application Firewall (WAF) to block requests containing PHP execution patterns or suspicious characters in product addon fields.

Public Exploit Available: No

Due to the critical nature of unauthenticated RCE, administrators must update this plugin immediately. If an update is not available, the plugin should be deactivated until a patch is applied to prevent site compromise.