Plateforme
wordpress
Composant
advanced-woo-labels
Corrigé dans
2.37
CVE-2026-1929 is a Remote Code Execution (RCE) vulnerability discovered in the Advanced Woo Labels plugin for WordPress. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to execute arbitrary PHP code and operating system commands on the server. The vulnerability impacts versions 0.0.0 through 2.36, and a fix is available in version 2.37.
The impact of this vulnerability is severe. An attacker exploiting CVE-2026-1929 can gain complete control over the WordPress server. This includes the ability to modify website content, install malicious software, steal sensitive data (customer information, database credentials), and potentially pivot to other systems on the network. The attacker's ability to execute arbitrary code makes this a high-risk vulnerability, potentially leading to a full compromise of the web server and associated data. The reliance on calluserfunc_array() without proper validation is a common pattern in RCE vulnerabilities, similar to issues seen in other WordPress plugins.
CVE-2026-1929 was publicly disclosed on 2026-02-25. While no active exploitation campaigns have been confirmed, the ease of exploitation and the plugin's popularity suggest a potential for rapid exploitation. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk. This vulnerability has not yet been added to the CISA KEV catalog, but its high severity warrants close monitoring.
WordPress websites utilizing the Advanced Woo Labels plugin, particularly those with shared hosting environments or legacy configurations, are at significant risk. Sites with weak password policies or inadequate user access controls are especially vulnerable, as the vulnerability requires only Contributor-level access to be exploited.
• wordpress / composer / npm:
grep -r 'call_user_func_array' /var/www/html/wp-content/plugins/advanced-woo-labels/• wordpress / composer / npm:
wp plugin list | grep 'Advanced Woo Labels'• wordpress / composer / npm:
curl -s http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=get_select_option_values&callback=phpinfo() | grep PHP Versiondisclosure
Statut de l'Exploit
EPSS
0.27% (percentile 50%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-1929 is to immediately upgrade the Advanced Woo Labels plugin to version 2.37 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the getselectoption_values() AJAX endpoint. Web Application Firewalls (WAFs) can be configured to block requests with suspicious parameters in the 'callback' field. Monitor WordPress logs for unusual activity, particularly requests to the affected endpoint with unexpected parameters. After upgrading, confirm the fix by attempting to trigger the vulnerable AJAX endpoint with a malicious callback parameter and verifying that it is properly rejected.
Mettre à jour vers la version 2.37, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-1929 is a Remote Code Execution vulnerability in the Advanced Woo Labels plugin for WordPress, allowing attackers with Contributor access to execute arbitrary code.
You are affected if you are using Advanced Woo Labels versions 0.0.0 through 2.36. Upgrade to version 2.37 to mitigate the risk.
Upgrade the Advanced Woo Labels plugin to version 2.37 or later. If upgrading is not possible, restrict access to the vulnerable AJAX endpoint.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation suggests a potential for rapid exploitation.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.