WordPress Plugin Vulnerabilities

Advanced Woo Labels < 2.37 - Authenticated (Contributor+) Remote Code Execution via 'callback' Parameter

Description

The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controlled callback and parameters in the `get_select_option_values()` AJAX handler without an allowlist of permitted callbacks or a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP functions and operating system commands on the server via the 'callback' parameter.

Affects Plugins

Plugin icon
advanced-woo-labels
Fixed in 2.37

References

CVE
CVE-2026-1929
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/bbae9c33-becb-4c9d-917f-0d8fe8312d0c

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Osvaldo Noe Gonzalez Del Rio (Os)
Verified
No
WPVDB ID
98961876-64bb-4d44-a2d0-57ff6e2b2ae3

Timeline

Publicly Published
2026-02-24 (about 3 months ago)
Added
2026-02-24 (about 3 months ago)
Last Updated
2026-02-25 (about 3 months ago)

Other

Published
Title
Published
2020-04-27
Title
Simple File List < 4.2.3 - Unauthenticated Arbitrary File Upload RCE
Published
2022-10-28
Title
Api2Cart Bridge Connector < 1.2.0 - Unauthenticated RCE
Published
2025-02-17
Title
Uncode Core < 2.9.1.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution in uncode_get_medias
Published
2025-02-07
Title
WP All Export Pro < 1.9.2 - Unauthenticated Remote Code Execution via Custom Export Fields
Published
2017-09-16
Title
VaultPress 1.89-1.9 - Unauthenticated RCE