Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Advanced Woo Labels plugin for WordPress allows hackers to run server commands
CVE-2026-1929
Summary
An attacker with contributor access can use the plugin to run server commands or execute malicious code on your website. This is due to a weakness in the way the plugin handles user input. Update the plugin to the latest version to fix this issue.
Original title
The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controll...
Original description
The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controlled callback and parameters in the `get_select_option_values()` AJAX handler without an allowlist of permitted callbacks or a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP functions and operating system commands on the server via the 'callback' parameter.
nvd CVSS3.1
8.8
Vulnerability type
CWE-94
Code Injection
- https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/include...
- https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/include...
- https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.37/include...
- https://plugins.trac.wordpress.org/browser/advanced-woo-labels/trunk/includes/ad...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bbae9c33-becb-4c9d-917...
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026