Description
Improper Control of Generation of Code ('Code Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Code Injection.This issue affects Dynamic Pricing With Discount Rules for WooCommerce: from n/a through <= 4.5.9.
Published: 2025-11-06
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an instance of improper code generation allowing attackers to inject arbitrary code into the WordPress environment. Code injected through the affected plugin can execute with the same privileges as the web server, compromising confidentiality, integrity, and availability of the site. The weakness is categorized as CWE‑94, demonstrating a failure to control the generation of executable code.

Affected Systems

Any WordPress installation that has the acowebs Dynamic Pricing With Discount Rules for WooCommerce plugin version 4.5.9 or earlier is impacted. The plugin sits on all sites that use WooCommerce and the dynamic pricing feature, giving attackers a broad potential target surface.

Risk and Exploitability

The CVSS score of 9.1 reflects a critical severity with high potential impact. The EPSS score of less than 1 percent indicates a low current likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to involve crafted requests that trigger the code generation routine, allowing an attacker to inject code without requiring additional privileges. The risk remains significant due to the severe impact if exploited.

Generated by OpenCVE AI on April 30, 2026 at 14:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the acowebs Dynamic Pricing With Discount Rules for WooCommerce plugin to the latest available version, ensuring that any fixed code generation logic is applied.
  • If an update cannot be applied immediately, deactivate the plugin to block the attack surface until the patch is available.
  • Implement web application firewall rules or IP whitelisting that restrict access to endpoints exposed by the plugin, and monitor server logs for suspicious code‑generation attempts.

Generated by OpenCVE AI on April 30, 2026 at 14:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 10 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Acowebs
Acowebs dynamic Pricing With Discount Rules For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Acowebs
Acowebs dynamic Pricing With Discount Rules For Woocommerce
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Code Injection.This issue affects Dynamic Pricing With Discount Rules for WooCommerce: from n/a through <= 4.5.9.
Title WordPress Dynamic Pricing With Discount Rules for WooCommerce plugin <= 4.5.9 - Arbitrary Code Execution vulnerability
Weaknesses CWE-94
References

Subscriptions

Acowebs Dynamic Pricing With Discount Rules For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:46.488Z

Reserved: 2025-05-07T10:44:15.222Z

Link: CVE-2025-47588

cve-icon Vulnrichment

Updated: 2025-11-10T19:39:58.794Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:15:51.363

Modified: 2026-04-27T19:16:14.087

Link: CVE-2025-47588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:45:24Z

Weaknesses