WordPress Advanced Woo Labels RCE via call_user_func_array (CVE-2026-1929)

### Critical Vulnerability Information **Vulnerability Details** - **Vulnerability ID**: CVE-2026-1929 - **CVSS Score**: 8.8 (High) - **Vulnerability Type**: Code Injection - **Publication Date**: February 24, 2024 - **Last Updated**: February 25, 2024 - **Researchers**: Osvaldo Noe Gonzalez Del Rio (Os) - cyberdogzmarketing.com | krei.dev | ogbuilders.io **Scope of Impact** - **Affected Versions**: <= 2.36 - **Fixed Version**: 2.37 - **Plugin Name**: Advanced Woo Labels – Product Labels & Badges for WooCommerce **Description** The Advanced Woo Labels plugin for WordPress contains a Remote Code Execution (RCE) vulnerability in all versions, including 2.37. This issue arises because the `get_select_option_values()` AJAX handler utilizes `call_user_func_array()` without implementing whitelisting or capability checks for user-controlled callbacks and arguments. This allows an attacker with Contributor-level access or higher to execute arbitrary PHP functions and operating system commands via the `callback` parameter. **References** - [plugins.trac.wordpress.org](plugins.trac.wordpress.org) - [plugins.trac.wordpress.org](plugins.trac.wordpress.org) - [plugins.trac.wordpress.org](plugins.trac.wordpress.org) - [plugins.trac.wordpress.org](plugins.trac.wordpress.org) **Remediation** Update to version 2.37 or a later patched version.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Advanced Woo Labels RCE via call_user_func_array (CVE-2026-1929)

More from this source