Skip to main content

Advanced Woo Labels CVE-2026-32414

| EUVDEUVD-2026-11933 HIGH
Code Injection (CWE-94)
2026-03-13 Patchstack
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11933
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
HIGH 7.2

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in ILLID Advanced Woo Labels advanced-woo-labels allows Remote Code Inclusion.This issue affects Advanced Woo Labels: from n/a through <= 2.36.

AnalysisAI

A code injection vulnerability in ILLID Advanced Woo Labels WordPress plugin (versions up to 2.36) allows authenticated administrators to execute arbitrary code through improper input validation, potentially leading to full site compromise. The vulnerability requires high privileges to exploit (CVSS 7.2), has no known active exploitation in the wild (not in CISA KEV), and carries a very low EPSS score of 0.00043 (0.043%), indicating minimal real-world exploitation likelihood despite the high CVSS score.

Technical ContextAI

The vulnerability affects the Advanced Woo Labels plugin for WordPress/WooCommerce, a label management extension that allows customization of product labels in online stores. The flaw is classified as CWE-94 (Improper Control of Generation of Code), which occurs when user-controllable input is incorporated into dynamically generated code without proper validation or sanitization. This specific implementation allows Remote Code Inclusion, meaning an attacker can cause the application to include and execute malicious code from external sources, typically through PHP include/require functions or eval() statements that process unsanitized user input.

RemediationAI

Upgrade Advanced Woo Labels plugin to a version newer than 2.36 as soon as a patch becomes available from the vendor. Monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/b3a36c84-0340-4c68-9189-e815797cb88f for patch information. As an immediate mitigation, restrict WordPress administrator access to trusted users only and implement additional authentication factors for admin accounts. Consider temporarily disabling the plugin if it's not business-critical until a patch is released.

Share

CVE-2026-32414 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy