CVE-2026-1929

HighRCE

Published: 25 February 2026

Published

25 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0036 58.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1929 is a high-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of the user-controlled 'callback' parameter in the get_select_option_values() AJAX handler to block arbitrary PHP function execution.

AC-3 Access Enforcement good match

prevent

Enforces capability checks before processing the vulnerable AJAX handler, preventing authenticated attackers without sufficient privileges from exploiting it.

AC-6 Least Privilege partial match

prevent

Ensures Contributor-level users do not have unnecessary privileges to access sensitive AJAX endpoints that could lead to RCE.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a remote code execution flaw in a public-facing WordPress plugin's AJAX handler, allowing authenticated low-privilege attackers to execute arbitrary PHP code and OS commands, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controlled callback and parameters in the `get_select_option_values()` AJAX handler without…

an allowlist of permitted callbacks or a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP functions and operating system commands on the server via the 'callback' parameter.

Deeper analysisAI

CVE-2026-1929 is a remote code execution vulnerability in the Advanced Woo Labels plugin for WordPress, affecting all versions up to and including 2.37. The flaw arises from the improper use of the `call_user_func_array()` function with user-controlled callback and parameters within the `get_select_option_values()` AJAX handler. This handler lacks an allowlist of permitted callbacks or any capability checks, enabling the execution of arbitrary code.

Authenticated attackers possessing at least Contributor-level access can exploit this vulnerability remotely with low attack complexity and no user interaction required. By manipulating the 'callback' parameter in the AJAX request, they can execute arbitrary PHP functions and operating system commands on the affected server, resulting in high impacts to confidentiality, integrity, and availability (CVSS v3.1 score of 8.8; CWE-94).

References highlight the vulnerable code locations, including lines 136 and 146 in `includes/admin/class-awl-admin-ajax.php` across plugin tags 2.34 and 2.37, as well as the trunk version. The Wordfence threat intelligence advisory provides additional details on the issue (CVE source: https://www.wordfence.com/threat-intel/vulnerabilities/id/bbae9c33-becb-4c9d-917f-0d8fe8312d0c?source=cve).