WordPress Plugin Vulnerabilities

Cart All In One For WooCommerce < 1.1.22 - Admin+ Code Injection

Description

The plugin is vulnerable to Code Injection due to insufficient input validation on the 'Assign page' field which is passed directly to the eval() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server.

Affects Plugins

Plugin icon
woo-cart-all-in-one
Fixed in 1.1.22

References

CVE
CVE-2026-2019
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/25bdb89f-3478-4a1a-8bf0-46e88207eb21

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Phap Nguyen Anh
Verified
No
WPVDB ID
3d571f5e-349f-4eb9-8738-2ea34ca3f51c

Timeline

Publicly Published
2026-02-17 (about 3 months ago)
Added
2026-02-17 (about 3 months ago)
Last Updated
2026-02-17 (about 3 months ago)

Other

Published
Title
Published
2025-08-28
Title
PDF Generator for WordPress < 1.5.4 - Editor+ RCE
Published
2023-05-22
Title
Revolution Slider <= 6.6.12 - Author+ Remote Code Execution
Published
2025-07-10
Title
GB Forms DB < 1.0.3 - Unauthenticated Remote Code Execution
Published
2025-02-12
Title
Avada Theme < 7.11.14 - Unauthenticated Arbitrary Shortcode Execution
Published
2022-12-29
Title
Multiple themes - Unauthenticated Arbitrary File Upload