CVE-2026-2019 HIGH

CVE-2026-2019: Cart All In One For WooCommerce <= 1.1.21 - Authenticated (Administrator+) Code Injection via 'sc_assign_page' Setting

Vendor Villatheme
Product Cart All In One For WooCommerce
Weakness CWE-74
Published February 18, 2026
Last update April 8, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.1.21. This is due to insufficient input validation on the 'Assign page' field which is passed directly to the eval() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server.

Explanation of Vulnerability in Simple Terms

02Summary

Cart All In One For WooCommerce versions up to 1.1.21 contain an improper input validation vulnerability that allows high-privileged users to read sensitive data, modify site content, or disrupt service. The vulnerability requires administrator-level access and network connectivity. Site owners should update to a version newer than 1.1.21 immediately.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify site content, or disrupt service with administrator-level access.

Potential impact on your site

04Site Impact

Administrators with malicious intent or compromised admin accounts can access confidential data and alter site functionality.

Conditions required to exploit

05Prerequisites

Attacker must have administrator-level privileges on the WordPress site.

Key dates

06Disclosure timeline

February 18, 2026 CVE published
April 8, 2026 Record updated