CVE-2026-1929 - Vulnerability Details

- Advanced Woo Labels <= 2.37 - Authenticated (Contributor+) Remote Code Execution via 'callback' Parameter

Description

The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controlled callback and parameters in the `get_select_option_values()` AJAX handler without an allowlist of permitted callbacks or a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP functions and operating system commands on the server via the 'callback' parameter.

Published: 2026-02-25

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Advanced Woo Labels plugin for WordPress allows authenticated users with Contributor level access or higher to trigger arbitrary PHP function calls and shell commands by sending a carefully crafted AJAX request with a user-controlled 'callback' parameter. Because the code uses call_user_func_array() without any allowlist or capability verification, an attacker can inject malicious callbacks. This flaw matches CWE-94 (Code Injection via call_user_func_array) and enables remote code execution that can compromise the entire web server, giving the attacker full control over the site and potentially the underlying operating system.

Affected Systems

WordPress sites running the Advanced Woo Labels plugin version 2.37 or earlier, developed by mihail-barinov. The vulnerability affects all releases up to and including 2.37, regardless of WordPress core version, and is located in the addon’s AJAX handler used for retrieving option values.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating a high impact, while the EPSS score of less than 1% suggests low current exploitation activity but still warrants precaution. The exploit does not rely on any special network exposure, only requiring internet-accessible AJAX calls, so it is potentially widely accessible to attackers with contributor credentials. It is not listed in the CISA catalog, but the high severity and the nature of remote code execution require prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mihail-barinov

Advanced Woo Labels – Product Labels & Badges for WooCommerce

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.36

No data.

Vendor Product Confidence Versions

Mihail-barinov

Advanced Woo Labels – Product Labels & Badges For Woocommerce

100%

Version	Status	Scheme	Platform
`[0,*]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Advanced Woo Labels plugin to the latest stable release available.
If an upgrade is not immediately possible, restrict the AJAX endpoint to administrators only by adding a capability check or disabling the handler for lower‑privilege roles.
Reduce the attack surface by revoking Contributor or higher roles from users who do not require them and ensuring that any remaining contributors have the least privilege necessary to perform their tasks.

Generated by OpenCVE AI on April 15, 2026 at 23:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00361.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/includes/admin/class-awl-admin-ajax.php#L136
https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/includes/admin/class-awl-admin-ajax.php#L146
https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.37/includes/admin/class-awl-admin-ajax.php#L136
https://plugins.trac.wordpress.org/browser/advanced-woo-labels/trunk/includes/admin/class-awl-admin-ajax.php#L146
https://www.wordfence.com/threat-intel/vulnerabilities/id/bbae9c33-becb-4c9d-917f-0d8fe8312d0c?source=cve

History

Thu, 26 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mihail-barinov Mihail-barinov advanced Woo Labels – Product Labels & Badges For Woocommerce Wordpress Wordpress wordpress
Vendors & Products		Mihail-barinov Mihail-barinov advanced Woo Labels – Product Labels & Badges For Woocommerce Wordpress Wordpress wordpress

Wed, 25 Feb 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controlled callback and parameters in the `get_select_option_values()` AJAX handler without an allowlist of permitted callbacks or a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP functions and operating system commands on the server via the 'callback' parameter.
Title		Advanced Woo Labels <= 2.37 - Authenticated (Contributor+) Remote Code Execution via 'callback' Parameter
Weaknesses		CWE-94
References		https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/includes/admin/class-awl-admin-ajax.php#L136 https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/includes/admin/class-awl-admin-ajax.php#L146 https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.37/includes/admin/class-awl-admin-ajax.php#L136 https://plugins.trac.wordpress.org/browser/advanced-woo-labels/trunk/includes/admin/class-awl-admin-ajax.php#L146 https://www.wordfence.com/threat-intel/vulnerabilities/id/bbae9c33-becb-4c9d-917f-0d8fe8312d0c?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Mihail-barinov Advanced Woo Labels – Product Labels & Badges For Woocommerce

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-25T08:25:31.823Z

Updated: 2026-04-08T17:18:33.467Z

Reserved: 2026-02-04T20:28:59.180Z

Link: CVE-2026-1929

Vulnrichment

Updated: 2026-02-25T16:36:46.692Z

NVD

Status : Deferred

Published: 2026-02-25T09:16:15.173

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1929

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T00:00:14Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object