CVE-2026-32414

Vulnerability

Overview The Advanced Woo Labels plugin for WordPress, versions up to and including 2.36, contains a code injection vulnerability (CWE-94) that allows remote code execution. The issue stems from improper control over the generation of code, enabling an attacker to inject and execute arbitrary PHP code on the target server [1].

Exploitation

Details This vulnerability can be exploited remotely without authentication, making it particularly dangerous. Attackers can send specially crafted requests to inject malicious code, which is then executed by the server. The attack surface is the plugin's code generation functionality. No special privileges or user interaction are required [1].

Impact

Successful exploitation grants the attacker the ability to execute arbitrary commands on the affected WordPress site. This can lead to complete site compromise, including backdoor installation, data theft, and full control over the website. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Mitigation

The vendor has released a patched version; users must update Advanced Woo Labels to version 2.37 or later immediately. If updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance. No workaround is available [1].