CVE-2026-1929

Name of the Vulnerable Software and Affected Versions Advanced Woo Labels versions prior to 2.3

Description The Advanced Woo Labels plugin for WordPress is susceptible to Remote Code Execution due to the use of call user func array() with user-controlled callback and parameters in the get select option values() AJAX handler. The lack of an allowlist of permitted callbacks or a capability check allows authenticated attackers with Contributor-level access or higher to execute arbitrary PHP functions and potentially operating system commands on the server via the callback parameter.

Recommendations Update Advanced Woo Labels to a version later than 2.3.