Remote Code Execution Vulnerability in Advanced Woo Labels Plugin by WooCommerce
CVE-2026-1929

8.8HIGH

Key Information:

Vendor

WordPress
Status
Advanced Woo Labels – Product Labels & Badges For WooCommerce
Vendor
CVE Published:
25 February 2026

What is CVE-2026-1929?

The Advanced Woo Labels plugin for WordPress is susceptible to a Remote Code Execution flaw across all versions up to 2.37. This vulnerability arises from the improper use of call_user_func_array() with user-controllable callbacks and parameters in the get_select_option_values() AJAX handler. The absence of an allowlist for permitted callbacks or a capability check enables authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP functions and potentially run operating system commands on the server through the 'callback' parameter. This presents a significant risk to website integrity and security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Advanced Woo Labels – Product Labels & Badges for WooCommerce * <= 2.36

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/advanced-woo-l...
https://plugins.trac.wordpress.org/browser/advanced-woo-l...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Osvaldo Noe Gonzalez Del Rio
JSON
.