WooCommerce Custom Product Addons Pro CVE-2026-4001: Patch Guide

June 6, 2026 update: WooCommerce Custom Product Addons Pro CVE-2026-4001 is a critical WordPress plugin vulnerability affecting stores that use older AcoWebs Custom Product Addons Pro builds. Wordfence lists the issue as CVSS 9.8 Critical, NVD has a matching CVE record sourced from Wordfence, and Patchstack lists the issue as high priority with a patched version available.

Plain-English impact: this is the kind of plugin issue that can turn a normal storefront feature into a server compromise risk when the vulnerable version and affected product-option setup are present. If your WooCommerce store uses Custom Product Addons Pro, do not treat this as a cosmetic plugin update. Patch it, test checkout, and review the site afterward.

The fix path is straightforward: move away from WooCommerce Custom Product Addons Pro 5.4.1 and older. Wordfence and Patchstack list 5.4.2 as the patched release, and the AcoWebs product page now shows a newer current version. If your license portal or plugin updater cannot confirm a patched build, pause the risky addon workflow until you can get a verified update from the vendor.

Who should check this first

• WooCommerce stores selling configurable, personalized, made-to-order, quote-based, or custom-priced products.
• Agencies managing multiple WooCommerce stores with paid product-option extensions.
• Hosting providers and support teams that maintain customer WordPress sites with WooCommerce and premium plugins.
• Stores that recently had unexplained admin users, changed product prices, failed checkouts, strange files, or unexpected email activity.
• Sites where the plugin is installed but no one is sure whether the Pro license still receives updates.

Safe update checklist

1. Back up the site first. Save files and the database before changing a WooCommerce product-options plugin.
2. Check the installed plugin version. If Custom Product Addons Pro is 5.4.1 or older, treat the store as exposed until patched or disabled.
3. Update from a trusted source. Use the AcoWebs account/download path, the plugin’s legitimate updater, or your managed-hosting plugin update system. Do not install random copies from search results.
4. Confirm the patched version. After the update, verify the store is running 5.4.2 or newer. The AcoWebs product page now lists a newer current version, so most stores should be beyond the minimum patched build.
5. Test product options. Open products that use custom addons, confirm the options render, add items to cart, and verify pricing behaves as expected.
6. Test checkout and emails. Place a small test order or use staging, then confirm order totals, tax, shipping, payment status, customer email, admin email, and fulfillment notes.
7. Clear cache carefully. Purge page cache, object cache, CDN cache, and WooCommerce fragments only after the update is complete.

If you cannot update right now

Disable the vulnerable plugin or remove the affected product-option workflow until the store can be patched. If the plugin is required for checkout, put the store into a controlled maintenance window, switch affected products to simpler options, or move custom orders to a manual quote process for a short period.

Do not leave an old Pro plugin running just because the storefront still looks normal. Paid WooCommerce extensions can fall out of update coverage when a license lapses, an agency handoff is incomplete, or the original download source is gone. If you cannot verify a fixed build, plan a replacement with a maintained product-options plugin and test every affected product before reopening normal checkout.

Post-update review for WooCommerce stores

• Review WordPress administrator accounts and remove unknown or unnecessary users.
• Review recently changed plugin, theme, uploads, and mu-plugin files for unexpected executable files.
• Check WooCommerce orders, refunds, coupons, product prices, shipping rules, taxes, and payment settings for unexplained changes.
• Rotate API keys, SMTP keys, payment-related credentials, and webhook secrets if you suspect the site was exposed before patching.
• Review hosting logs, malware-scan results, and security-plugin alerts for unusual activity around product pages and checkout.
• Ask the host to help inspect the account if the site had unknown admins, strange files, or checkout behavior you cannot explain.

Replacement guidance

If the plugin updates cleanly and your store tests pass, keeping the maintained version is reasonable. If the updater is broken, the license is lost, or the vendor path cannot be verified, do not keep stacking temporary workarounds. Export or document your product-option forms, list every product that depends on them, and migrate to a maintained WooCommerce product-options tool.

For stores with lots of custom product logic, test replacements on staging first. The risky part is not only security. Product-option plugins can change cart totals, tax handling, shipping rules, order notes, and fulfillment instructions. A rushed swap can break revenue just as quickly as a bad patch.

Related Fix I.T. Phill reading

• How to check WordPress backups and restore points
• How to check WooCommerce orders after maintenance
• Gift Cards for WooCommerce Pro CVE-2026-45444 patch guide
• Gravity SMTP CVE-2026-4020 mail key patch guide
• Everest Forms Pro CVE-2026-3300 patch guide

Sources

• Wordfence Intelligence record for CVE-2026-4001
• NVD record for CVE-2026-4001
• Patchstack advisory for WooCommerce Custom Product Addons Pro
• AcoWebs Custom Product Addons product and changelog page

Need help checking a WooCommerce store after a plugin security update? Fix I.T. Phill can help back up the site, apply the update safely, test checkout, review orders, and inspect the account for suspicious changes.