CVE-2026-1929

High

Published: 25 February 2026

Published

25 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0036 58.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controlled callback and parameters in the `get_select_option_values()` AJAX handler without…

an allowlist of permitted callbacks or a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP functions and operating system commands on the server via the 'callback' parameter.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of the user-controlled 'callback' parameter in the get_select_option_values() AJAX handler to block arbitrary PHP function execution.

AC-3 Access Enforcement good match

prevent

Enforces capability checks before processing the vulnerable AJAX handler, preventing authenticated attackers without sufficient privileges from exploiting it.

AC-6 Least Privilege partial match

prevent

Ensures Contributor-level users do not have unnecessary privileges to access sensitive AJAX endpoints that could lead to RCE.

Security SummaryAI

CVE-2026-1929 is a remote code execution vulnerability in the Advanced Woo Labels plugin for WordPress, affecting all versions up to and including 2.37. The flaw arises from the improper use of the `call_user_func_array()` function with user-controlled callback and parameters within the `get_select_option_values()` AJAX handler. This handler lacks an allowlist of permitted callbacks or any capability checks, enabling the execution of arbitrary code.

Authenticated attackers possessing at least Contributor-level access can exploit this vulnerability remotely with low attack complexity and no user interaction required. By manipulating the 'callback' parameter in the AJAX request, they can execute arbitrary PHP functions and operating system commands on the affected server, resulting in high impacts to confidentiality, integrity, and availability (CVSS v3.1 score of 8.8; CWE-94).

References highlight the vulnerable code locations, including lines 136 and 146 in `includes/admin/class-awl-admin-ajax.php` across plugin tags 2.34 and 2.37, as well as the trunk version. The Wordfence threat intelligence advisory provides additional details on the issue (CVE source: https://www.wordfence.com/threat-intel/vulnerabilities/id/bbae9c33-becb-4c9d-917f-0d8fe8312d0c?source=cve).

Details

CWE(s): CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a remote code execution flaw in a public-facing WordPress plugin's AJAX handler, allowing authenticated low-privilege attackers to execute arbitrary PHP code and OS commands, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/includes/admin/class-awl-admin-ajax.php#L136
security@wordfence.com
https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/includes/admin/class-awl-admin-ajax.php#L146
security@wordfence.com
https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.37/includes/admin/class-awl-admin-ajax.php#L136
security@wordfence.com
https://plugins.trac.wordpress.org/browser/advanced-woo-labels/trunk/includes/admin/class-awl-admin-ajax.php#L146
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/bbae9c33-becb-4c9d-917f-0d8fe8312d0c?source=cve
security@wordfence.com