CVE-2026-32414
Published: 13 March 2026
Summary
CVE-2026-32414 is a high-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-32414 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, in the Advanced Woo Labels WordPress plugin developed by ILLID. The flaw allows Remote Code Inclusion and affects the advanced-woo-labels plugin in all versions from n/a through 2.36 inclusive. Published on 2026-03-13, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Exploitation requires network access and high privileges (PR:H), such as those held by an authenticated administrator, with low attack complexity and no user interaction needed. A successful attack enables remote code execution, granting the attacker high levels of control over confidentiality, integrity, and availability on the targeted WordPress site.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/advanced-woo-labels/vulnerability/wordpress-advanced-woo-labels-plugin-2-36-remote-code-execution-rce-vulnerability?_s_id=cve provides details on this remote code execution vulnerability in Advanced Woo Labels version 2.36, including recommended mitigations such as updating to a patched version beyond 2.36.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11933
Vulnerability details
Improper Control of Generation of Code ('Code Injection') vulnerability in ILLID Advanced Woo Labels advanced-woo-labels allows Remote Code Inclusion.This issue affects Advanced Woo Labels: from n/a through <= 2.36.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via code injection in public-facing WordPress plugin directly maps to exploitation of public-facing application (T1190) and subsequent arbitrary command execution on Unix-hosted server (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly eliminates the code-injection flaw by requiring the plugin to be updated beyond version 2.36.
Enforces validation of all input used to generate or include code, blocking the CWE-94 Remote Code Inclusion path.
Restricts the high-privilege (admin) accounts that can reach the vulnerable label-generation functions, reducing the attack surface.