प्लेटफ़ॉर्म
wordpress
घटक
advanced-woo-labels
में ठीक किया गया
2.37
CVE-2026-1929 is a Remote Code Execution (RCE) vulnerability discovered in the Advanced Woo Labels plugin for WordPress. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to execute arbitrary PHP code and operating system commands on the server. The vulnerability impacts versions 0.0.0 through 2.36, and a fix is available in version 2.37.
The impact of this vulnerability is severe. An attacker exploiting CVE-2026-1929 can gain complete control over the WordPress server. This includes the ability to modify website content, install malicious software, steal sensitive data (customer information, database credentials), and potentially pivot to other systems on the network. The attacker's ability to execute arbitrary code makes this a high-risk vulnerability, potentially leading to a full compromise of the web server and associated data. The reliance on calluserfunc_array() without proper validation is a common pattern in RCE vulnerabilities, similar to issues seen in other WordPress plugins.
CVE-2026-1929 was publicly disclosed on 2026-02-25. While no active exploitation campaigns have been confirmed, the ease of exploitation and the plugin's popularity suggest a potential for rapid exploitation. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk. This vulnerability has not yet been added to the CISA KEV catalog, but its high severity warrants close monitoring.
WordPress websites utilizing the Advanced Woo Labels plugin, particularly those with shared hosting environments or legacy configurations, are at significant risk. Sites with weak password policies or inadequate user access controls are especially vulnerable, as the vulnerability requires only Contributor-level access to be exploited.
• wordpress / composer / npm:
grep -r 'call_user_func_array' /var/www/html/wp-content/plugins/advanced-woo-labels/• wordpress / composer / npm:
wp plugin list | grep 'Advanced Woo Labels'• wordpress / composer / npm:
curl -s http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=get_select_option_values&callback=phpinfo() | grep PHP Versiondisclosure
एक्सप्लॉइट स्थिति
EPSS
0.27% (50% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-1929 is to immediately upgrade the Advanced Woo Labels plugin to version 2.37 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the getselectoption_values() AJAX endpoint. Web Application Firewalls (WAFs) can be configured to block requests with suspicious parameters in the 'callback' field. Monitor WordPress logs for unusual activity, particularly requests to the affected endpoint with unexpected parameters. After upgrading, confirm the fix by attempting to trigger the vulnerable AJAX endpoint with a malicious callback parameter and verifying that it is properly rejected.
संस्करण 2.37 में अपडेट करें, या एक नया पैच किया गया संस्करण
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-1929 is a Remote Code Execution vulnerability in the Advanced Woo Labels plugin for WordPress, allowing attackers with Contributor access to execute arbitrary code.
You are affected if you are using Advanced Woo Labels versions 0.0.0 through 2.36. Upgrade to version 2.37 to mitigate the risk.
Upgrade the Advanced Woo Labels plugin to version 2.37 or later. If upgrading is not possible, restrict access to the vulnerable AJAX endpoint.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation suggests a potential for rapid exploitation.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।