Advanced Woo Labels <= 2.37 - Exécution de code à distance authentifiée (Contributeur+) via le paramètre 'callback'
Plateforme
wordpress
Composant
advanced-woo-labels
Corrigé dans
2.37
CVE-2026-1929 is a Remote Code Execution (RCE) vulnerability discovered in the Advanced Woo Labels plugin for WordPress. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to execute arbitrary PHP code and operating system commands on the server. The vulnerability impacts versions 0.0.0 through 2.36, and a fix is available in version 2.37.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
The impact of this vulnerability is severe. An attacker exploiting CVE-2026-1929 can gain complete control over the WordPress server. This includes the ability to modify website content, install malicious software, steal sensitive data (customer information, database credentials), and potentially pivot to other systems on the network. The attacker's ability to execute arbitrary code makes this a high-risk vulnerability, potentially leading to a full compromise of the web server and associated data. The reliance on calluserfunc_array() without proper validation is a common pattern in RCE vulnerabilities, similar to issues seen in other WordPress plugins.
Contexte d'Exploitationtraduction en cours…
CVE-2026-1929 was publicly disclosed on 2026-02-25. While no active exploitation campaigns have been confirmed, the ease of exploitation and the plugin's popularity suggest a potential for rapid exploitation. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk. This vulnerability has not yet been added to the CISA KEV catalog, but its high severity warrants close monitoring.
Qui Est à Risquetraduction en cours…
WordPress websites utilizing the Advanced Woo Labels plugin, particularly those with shared hosting environments or legacy configurations, are at significant risk. Sites with weak password policies or inadequate user access controls are especially vulnerable, as the vulnerability requires only Contributor-level access to be exploited.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
grep -r 'call_user_func_array' /var/www/html/wp-content/plugins/advanced-woo-labels/• wordpress / composer / npm:
wp plugin list | grep 'Advanced Woo Labels'• wordpress / composer / npm:
curl -s http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=get_select_option_values&callback=phpinfo() | grep PHP VersionChronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.27% (percentile 50%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Informations sur le paquet
- Installations actives
- 10KConnu
- Note du plugin
- 5.0
- Nécessite WordPress
- 4.0+
- Compatible jusqu'à
- 7.0
- Nécessite PHP
- 7.0+
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2026-1929 is to immediately upgrade the Advanced Woo Labels plugin to version 2.37 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the getselectoption_values() AJAX endpoint. Web Application Firewalls (WAFs) can be configured to block requests with suspicious parameters in the 'callback' field. Monitor WordPress logs for unusual activity, particularly requests to the affected endpoint with unexpected parameters. After upgrading, confirm the fix by attempting to trigger the vulnerable AJAX endpoint with a malicious callback parameter and verifying that it is properly rejected.
Comment corriger
Mettre à jour vers la version 2.37, ou une version corrigée plus récente
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2026-1929 — RCE in Advanced Woo Labels WordPress Plugin?
CVE-2026-1929 is a Remote Code Execution vulnerability in the Advanced Woo Labels plugin for WordPress, allowing attackers with Contributor access to execute arbitrary code.
Am I affected by CVE-2026-1929 in Advanced Woo Labels WordPress Plugin?
You are affected if you are using Advanced Woo Labels versions 0.0.0 through 2.36. Upgrade to version 2.37 to mitigate the risk.
How do I fix CVE-2026-1929 in Advanced Woo Labels WordPress Plugin?
Upgrade the Advanced Woo Labels plugin to version 2.37 or later. If upgrading is not possible, restrict access to the vulnerable AJAX endpoint.
Is CVE-2026-1929 being actively exploited?
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation suggests a potential for rapid exploitation.
Where can I find the official Advanced Woo Labels advisory for CVE-2026-1929?
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.