{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1929", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T20:28:59.180Z", "datePublished": "2026-02-25T08:25:31.823Z", "dateUpdated": "2026-04-08T17:18:33.467Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:33.467Z"}, "affected": [{"vendor": "mihail-barinov", "product": "Advanced Woo Labels \u2013 Product Labels & Badges for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.36", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controlled callback and parameters in the `get_select_option_values()` AJAX handler without an allowlist of permitted callbacks or a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP functions and operating system commands on the server via the 'callback' parameter."}], "title": "Advanced Woo Labels <= 2.37 - Authenticated (Contributor+) Remote Code Execution via 'callback' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bbae9c33-becb-4c9d-917f-0d8fe8312d0c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/includes/admin/class-awl-admin-ajax.php#L136"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/includes/admin/class-awl-admin-ajax.php#L146"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-woo-labels/trunk/includes/admin/class-awl-admin-ajax.php#L146"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.37/includes/admin/class-awl-admin-ajax.php#L136"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-02-06T12:28:16.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-24T19:54:05.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T16:36:40.659627Z", "id": "CVE-2026-1929", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T16:37:12.800Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1929", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T16:36:40.659627Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T16:36:46.692Z"}}], "cna": {"title": "Advanced Woo Labels <= 2.37 - Authenticated (Contributor+) Remote Code Execution via 'callback' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "mihail-barinov", "product": "Advanced Woo Labels \u2013 Product Labels & Badges for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.36"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-06T12:28:16.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-24T19:54:05.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bbae9c33-becb-4c9d-917f-0d8fe8312d0c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/includes/admin/class-awl-admin-ajax.php#L136"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/includes/admin/class-awl-admin-ajax.php#L146"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-woo-labels/trunk/includes/admin/class-awl-admin-ajax.php#L146"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.37/includes/admin/class-awl-admin-ajax.php#L136"}], "descriptions": [{"lang": "en", "value": "The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controlled callback and parameters in the `get_select_option_values()` AJAX handler without an allowlist of permitted callbacks or a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP functions and operating system commands on the server via the 'callback' parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:33.467Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1929", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:18:33.467Z", "dateReserved": "2026-02-04T20:28:59.180Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-25T08:25:31.823Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controlled callback and parameters in the `get_select_option_values()` AJAX handler without an allowlist of permitted callbacks or a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP functions and operating system commands on the server via the 'callback' parameter."}, {"lang": "es", "value": "El plugin Advanced Woo Labels para WordPress es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo en todas las versiones hasta e incluyendo la 2.37. Esto se debe al uso de `call_user_func_array()` con una devoluci\u00f3n de llamada y par\u00e1metros controlados por el usuario en el gestor AJAX `get_select_option_values()` sin una lista blanca de devoluciones de llamada permitidas o una verificaci\u00f3n de capacidad. Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador y superior, ejecuten funciones PHP arbitrarias y comandos del sistema operativo en el servidor a trav\u00e9s del par\u00e1metro 'callback'."}], "id": "CVE-2026-1929", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-25T09:16:15.173", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/includes/admin/class-awl-admin-ajax.php#L136"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/includes/admin/class-awl-admin-ajax.php#L146"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.37/includes/admin/class-awl-admin-ajax.php#L136"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-woo-labels/trunk/includes/admin/class-awl-admin-ajax.php#L146"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bbae9c33-becb-4c9d-917f-0d8fe8312d0c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Advanced Woo Labels \u2013 Product Labels & Badges for WooCommerce", "source": "cna", "vendor": "mihail-barinov"}, "product": "advanced_woo_labels_\u2013_product_labels_&_badges_for_woocommerce", "vendor": "mihail-barinov"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T23:55:11.236934+00:00", "value": {"mitigation_remediation": ["Upgrade the Advanced Woo Labels plugin to the latest stable release available.", "If an upgrade is not immediately possible, restrict the AJAX endpoint to administrators only by adding a capability check or disabling the handler for lower\u2011privilege roles.", "Reduce the attack surface by revoking Contributor or higher roles from users who do not require them and ensuring that any remaining contributors have the least privilege necessary to perform their tasks."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Advanced Woo Labels plugin version 2.37 or earlier, developed by mihail-barinov. The vulnerability affects all releases up to and including 2.37, regardless of WordPress core version, and is located in the addon\u2019s AJAX handler used for retrieving option values.", "description_and_impact": "The Advanced Woo Labels plugin for WordPress allows authenticated users with Contributor level access or higher to trigger arbitrary PHP function calls and shell commands by sending a carefully crafted AJAX request with a user-controlled 'callback' parameter. Because the code uses call_user_func_array() without any allowlist or capability verification, an attacker can inject malicious callbacks. This flaw matches CWE-94 (Code Injection via call_user_func_array) and enables remote code execution that can compromise the entire web server, giving the attacker full control over the site and potentially the underlying operating system.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.8, indicating a high impact, while the EPSS score of less than 1% suggests low current exploitation activity but still warrants precaution. The exploit does not rely on any special network exposure, only requiring internet-accessible AJAX calls, so it is potentially widely accessible to attackers with contributor credentials. It is not listed in the CISA catalog, but the high severity and the nature of remote code execution require prompt remediation."}}}}, "created": "2026-02-26T13:18:18.720857+00:00", "updated": "2026-04-16T00:00:14.154099+00:00", "vendors": ["mihail-barinov", "mihail-barinov$PRODUCT$advanced_woo_labels_\u2013_product_labels_&_badges_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}