Description
The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.1.21. This is due to insufficient input validation on the 'Assign page' field which is passed directly to the eval() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server.
Published: 2026-02-18
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the Cart All In One For WooCommerce plugin, where an insufficiently validated input field named 'Assign page' is fed directly into the eval() function. This allows an authenticated user with Administrator-level access to insert arbitrary PHP code that will be executed on the server, compromising the entire site’s confidentiality, integrity, and availability.

Affected Systems

The affected product is the Villatheme Cart All In One For WooCommerce WordPress plugin. All releases up to and including version 1.1.21 are impacted.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, though the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability requires administrative privileges (authenticated via standard WordPress login), so an attacker must first compromise or obtain legitimate admin credentials. Once privileged, the attacker can exploit the eval() call to run arbitrary code. The plugin is not listed in the CISA Known Exploited Vulnerabilities catalog, which limits current public exploitation activity.

Generated by OpenCVE AI on April 15, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cart All In One For WooCommerce plugin to a version newer than 1.1.21, which removes the eval() vulnerability.
  • If an upgrade cannot be performed immediately, restrict access to the plugin’s settings page or disable the 'Assign page' setting to prevent exploitation by administrators.
  • As a temporary workaround, edit the plugin file sidebar-cart-icon.php to remove or comment out the eval() call that uses the 'sc_assign_page' value, ensuring that no unsanitized code is executed.

Generated by OpenCVE AI on April 15, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Villatheme
Villatheme cart All In One For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Villatheme
Villatheme cart All In One For Woocommerce
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.1.21. This is due to insufficient input validation on the 'Assign page' field which is passed directly to the eval() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server.
Title Cart All In One For WooCommerce <= 1.1.21 - Authenticated (Administrator+) Code Injection via 'sc_assign_page' Setting
Weaknesses CWE-74
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Villatheme Cart All In One For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:28.852Z

Reserved: 2026-02-05T19:59:32.753Z

Link: CVE-2026-2019

cve-icon Vulnrichment

Updated: 2026-02-18T20:26:03.743Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T07:16:10.273

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2019

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:30:13Z

Weaknesses