Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in ILLID Advanced Woo Labels advanced-woo-labels allows Remote Code Inclusion.This issue affects Advanced Woo Labels: from n/a through <= 2.36.
AnalysisAI
A code injection vulnerability in ILLID Advanced Woo Labels WordPress plugin (versions up to 2.36) allows authenticated administrators to execute arbitrary code through improper input validation, potentially leading to full site compromise. The vulnerability requires high privileges to exploit (CVSS 7.2), has no known active exploitation in the wild (not in CISA KEV), and carries a very low EPSS score of 0.00043 (0.043%), indicating minimal real-world exploitation likelihood despite the high CVSS score.
Technical ContextAI
The vulnerability affects the Advanced Woo Labels plugin for WordPress/WooCommerce, a label management extension that allows customization of product labels in online stores. The flaw is classified as CWE-94 (Improper Control of Generation of Code), which occurs when user-controllable input is incorporated into dynamically generated code without proper validation or sanitization. This specific implementation allows Remote Code Inclusion, meaning an attacker can cause the application to include and execute malicious code from external sources, typically through PHP include/require functions or eval() statements that process unsanitized user input.
RemediationAI
Upgrade Advanced Woo Labels plugin to a version newer than 2.36 as soon as a patch becomes available from the vendor. Monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/b3a36c84-0340-4c68-9189-e815797cb88f for patch information. As an immediate mitigation, restrict WordPress administrator access to trusted users only and implement additional authentication factors for admin accounts. Consider temporarily disabling the plugin if it's not business-critical until a patch is released.
More in Advanced Woo Labels
View allSame weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11933