216.73.217.86

CVE-2026-1929

· Published 25/02/2026 09:16 · Modified 25/02/2026 14:15

Labels: CVE-2026-1929 2026-02-25CVE-2026-1929CWE-94[email protected]

Essential information

Published
25/02/2026 09:16
Modified
25/02/2026 14:15
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controlled callback and parameters in the `get_select_option_values()` AJAX handler without an allowlist of permitted callbacks or a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP functions and operating system commands on the server via the 'callback' parameter.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
wordpress / advanced woo labels cpe:2.3:a:wordpress:advanced_woo_labels:*:*:*:*:*:wordpress:*:*

References