Advanced Woo Labels
Moderate fix1 remedy
cpe:2.3:a:advanced-woo-labels:advanced_woo_labels:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 2.37
Advanced Woo Labels Remote Code Execution Vulnerability
Vulnerability
Patched
A remote code execution vulnerability exists in the Advanced Woo Labels plugin for WordPress, affecting all versions through 2.37. The issue arises from the 'get_select_option_values()' AJAX handler, which uses 'call_user_func_array()' with user-controlled callbacks and parameters, lacking a proper allowlist or capability check. This vulnerability allows authenticated attackers with Contributor-level access and above to execute arbitrary PHP functions and operating system commands on the server via the 'callback' parameter.
Impact
Exploitation of this vulnerability allows for remote code execution on the server.
Reproduction
To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a request to the 'get_select_option_values()' AJAX handler. The request must include a 'callback' parameter with a value that corresponds to a legitimate callback function in the WordPress environment. The absence of a callback allowlist or proper capability checks enables the execution of arbitrary code.
Remediation
Users are advised to update the Advanced Woo Labels plugin to version 2.37 or later.
Added: Feb 25, 2026, 10:51 AM
Updated: Feb 25, 2026, 10:51 AM
Vulnerability Rating
Custom Algorithm
spread
2.2impact
10.0exploitability
6.4remediation
7.7relevance
3.2threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.