Advanced Woo Labels <= 2.37 - Geauthenticeerde (Medewerker+) Remote Code Execution via 'callback' Parameter
Platform
wordpress
Component
advanced-woo-labels
Opgelost in
2.37
CVE-2026-1929 is a Remote Code Execution (RCE) vulnerability discovered in the Advanced Woo Labels plugin for WordPress. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to execute arbitrary PHP code and operating system commands on the server. The vulnerability impacts versions 0.0.0 through 2.36, and a fix is available in version 2.37.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
The impact of this vulnerability is severe. An attacker exploiting CVE-2026-1929 can gain complete control over the WordPress server. This includes the ability to modify website content, install malicious software, steal sensitive data (customer information, database credentials), and potentially pivot to other systems on the network. The attacker's ability to execute arbitrary code makes this a high-risk vulnerability, potentially leading to a full compromise of the web server and associated data. The reliance on calluserfunc_array() without proper validation is a common pattern in RCE vulnerabilities, similar to issues seen in other WordPress plugins.
Uitbuitingscontextwordt vertaald…
CVE-2026-1929 was publicly disclosed on 2026-02-25. While no active exploitation campaigns have been confirmed, the ease of exploitation and the plugin's popularity suggest a potential for rapid exploitation. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk. This vulnerability has not yet been added to the CISA KEV catalog, but its high severity warrants close monitoring.
Wie Loopt Risicowordt vertaald…
WordPress websites utilizing the Advanced Woo Labels plugin, particularly those with shared hosting environments or legacy configurations, are at significant risk. Sites with weak password policies or inadequate user access controls are especially vulnerable, as the vulnerability requires only Contributor-level access to be exploited.
Detectiestappenwordt vertaald…
• wordpress / composer / npm:
grep -r 'call_user_func_array' /var/www/html/wp-content/plugins/advanced-woo-labels/• wordpress / composer / npm:
wp plugin list | grep 'Advanced Woo Labels'• wordpress / composer / npm:
curl -s http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=get_select_option_values&callback=phpinfo() | grep PHP VersionAanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.27% (50% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Pakketinformatie
- Actieve installaties
- 10KBekend
- Plugin-beoordeling
- 5.0
- Vereist WordPress
- 4.0+
- Compatibel tot
- 7.0
- Vereist PHP
- 7.0+
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2026-1929 is to immediately upgrade the Advanced Woo Labels plugin to version 2.37 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the getselectoption_values() AJAX endpoint. Web Application Firewalls (WAFs) can be configured to block requests with suspicious parameters in the 'callback' field. Monitor WordPress logs for unusual activity, particularly requests to the affected endpoint with unexpected parameters. After upgrading, confirm the fix by attempting to trigger the vulnerable AJAX endpoint with a malicious callback parameter and verifying that it is properly rejected.
Hoe te verhelpen
Update naar versie 2.37, of een nieuwere gepatchte versie
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-1929 — RCE in Advanced Woo Labels WordPress Plugin?
CVE-2026-1929 is a Remote Code Execution vulnerability in the Advanced Woo Labels plugin for WordPress, allowing attackers with Contributor access to execute arbitrary code.
Am I affected by CVE-2026-1929 in Advanced Woo Labels WordPress Plugin?
You are affected if you are using Advanced Woo Labels versions 0.0.0 through 2.36. Upgrade to version 2.37 to mitigate the risk.
How do I fix CVE-2026-1929 in Advanced Woo Labels WordPress Plugin?
Upgrade the Advanced Woo Labels plugin to version 2.37 or later. If upgrading is not possible, restrict access to the vulnerable AJAX endpoint.
Is CVE-2026-1929 being actively exploited?
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation suggests a potential for rapid exploitation.
Where can I find the official Advanced Woo Labels advisory for CVE-2026-1929?
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.