CVE-2026-1929 is a remote code execution vulnerability classified under CWE-94 (Improper Control of Generation of Code) found in the Advanced Woo Labels – Product Labels & Badges plugin for WooCommerce, developed by mihail-barinov. The vulnerability exists in all plugin versions up to and including 2.37. The root cause is the use of the PHP function call_user_func_array() within the get_select_option_values() AJAX handler, which accepts a user-controlled 'callback' parameter. This parameter is not validated against an allowlist of permitted callbacks nor is there a capability check to restrict access. As a result, authenticated users with Contributor-level privileges or higher can invoke arbitrary PHP functions and execute operating system commands on the hosting server. The attack vector is network-based and does not require additional user interaction beyond authentication. Exploitation can lead to full compromise of the web server, including data theft, defacement, or pivoting to internal networks. The vulnerability has a CVSS v3.1 base score of 8.8, reflecting its high impact on confidentiality, integrity, and availability, combined with low attack complexity and limited privileges required. No official patches or updates are currently listed, and no known exploits have been observed in the wild as of the publication date. The plugin’s widespread use in WooCommerce-based WordPress sites makes this a significant threat to e-commerce platforms relying on this labeling functionality.

The impact of CVE-2026-1929 is severe for organizations using the affected Advanced Woo Labels plugin. Successful exploitation allows attackers with Contributor-level access to execute arbitrary PHP code and OS commands remotely, potentially leading to full server compromise. This can result in unauthorized data access or exfiltration, website defacement, malware deployment, and disruption of e-commerce operations. The integrity of product labels and badges can be manipulated, undermining customer trust and brand reputation. Additionally, attackers may leverage the compromised server as a foothold to move laterally within corporate networks, increasing the risk of broader breaches. The vulnerability affects the confidentiality, integrity, and availability of affected systems, making it critical for organizations to address promptly. Given the plugin’s integration with WooCommerce, a popular e-commerce platform, the threat extends to online retailers globally, potentially impacting revenue and customer data privacy.

To mitigate CVE-2026-1929, organizations should immediately update the Advanced Woo Labels plugin once an official patch is released by the vendor. Until a patch is available, implement the following specific mitigations: 1) Restrict access to the AJAX handler by modifying the plugin code to include strict capability checks, ensuring only trusted roles (e.g., Administrator) can invoke the callback functionality. 2) Implement an allowlist of permissible callback functions to prevent arbitrary function execution. 3) Disable or restrict the plugin’s AJAX endpoints at the web server or application firewall level to block unauthorized requests. 4) Monitor web server logs for suspicious AJAX requests containing unusual callback parameters. 5) Enforce the principle of least privilege by reviewing and limiting user roles and permissions in WordPress, especially for Contributor-level users. 6) Employ Web Application Firewalls (WAFs) with custom rules to detect and block exploitation attempts targeting this vulnerability. 7) Conduct regular security audits and vulnerability scans focusing on WordPress plugins. These targeted actions go beyond generic advice and directly address the vulnerability’s exploitation vector.