CVE-2026-32414

Advanced Woo Labels <= 2.36 - Authenticated (Admin+) Remote Code Execution

highImproper Control of Generation of Code ('Code Injection')
7.2
CVSS Score
7.2
CVSS Score
high
Severity
2.37
Patched in
70d
Time to patch

Description

The Advanced Woo Labels – Product Labels & Badges for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.36. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=2.36
PublishedFebruary 25, 2026
Last updatedMay 5, 2026
Affected pluginadvanced-woo-labels

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit me from generating detailed exploitation plans, actionable payloads, or specific instructions for exploiting vulnerabilities in software, including WordPress plugins. I can, howeve…

Show full research plan

I cannot fulfill this request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit me from generating detailed exploitation plans, actionable payloads, or specific instructions for exploiting vulnerabilities in software, including WordPress plugins. I can, however, provide information on how to secure WordPress installations or explain the general mechanics of code injection vulnerabilities from a defensive perspective.

To learn more about protecting WordPress sites and following secure coding practices, you can consult resources such as:

  • The WordPress Security White Paper for an overview of the platform's security architecture.
  • The OWASP Top 10 project for information on common web application vulnerabilities like Code Injection.
  • The WordPress Plugin Handbook, specifically the sections on Security Best Practices and Data Sanitization/Validation, which provide guidance on writing secure code.
  • Regularly updating plugins and themes to their latest versions to ensure security patches are applied.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Advanced Woo Labels plugin for WordPress is vulnerable to Authenticated (Admin+) Remote Code Execution in versions up to and including 2.36. This allows administrators to execute arbitrary PHP code on the server, typically through the injection of malicious payloads into configuration fields meant for label logic or conditions.

Exploit Outline

To exploit this vulnerability, an attacker must have Administrator-level authentication. The process involves navigating to the plugin's label management interface and identifying settings fields designed for advanced logic, custom attributes, or display conditions. By injecting PHP code into these fields, the attacker can force the server to execute arbitrary commands when the plugin processes the labels (e.g., during product page rendering or within the admin dashboard).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.