WordPress Plugin Vulnerabilities

Advanced Woo Labels < 2.37 - Authenticated (Admin+) Remote Code Execution

Description

The Advanced Woo Labels – Product Labels & Badges for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.36. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
advanced-woo-labels
Fixed in 2.37

References

CVE
CVE-2026-32414
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b591b7df-8492-4f66-8884-b4b27c0f0a11

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
a7971159-192e-44d2-80fa-1638a3576ab6

Timeline

Publicly Published
2026-02-25 (about 3 months ago)
Added
2026-05-05 (about 1 month ago)
Last Updated
2026-05-05 (about 1 month ago)

Other

Published
Title
Published
2025-03-26
Title
PDF for WPForms < 5.3.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
Published
2020-10-09
Title
Autoptimize < 2.7.8 - Race Condition leading to RCE
Published
2025-08-23
Title
Global DNS < 3.1.1 - Unauthenticated Remote Code Execution
Published
2025-04-21
Title
Ocean Extra < 2.4.7 - Unauthenticated Arbitrary Shortcode Execution
Published
2025-02-12
Title
Avada Theme < 7.11.14 - Unauthenticated Arbitrary Shortcode Execution