CVE-2026-0974
Unauthorized Plugin Installation in Orderable Plugin Enables RCE
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iconic | onboard | to 1.20.0 (inc) |
| orderable | wordpress_restaurant_online_ordering_system | to 1.20.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
The vulnerability exists in the Orderable β WordPress Restaurant Online Ordering System and Food Ordering Plugin up to version 1.20.0. It is caused by a missing capability check on the 'install_plugin' function, which allows authenticated users with Subscriber-level access or higher to install arbitrary plugins without proper authorization.
This unauthorized plugin installation can lead to Remote Code Execution, meaning an attacker could run malicious code on the affected WordPress site.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized installation of plugins by low-privileged users, which can escalate to Remote Code Execution on the server hosting the WordPress site.
An attacker exploiting this flaw could gain control over the website, manipulate content, steal sensitive data, or use the server for malicious activities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized plugin installation via the 'install_plugin' function in the Orderable WordPress plugin, exploitable by authenticated users with Subscriber-level access or higher."}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your system or network, you can monitor for unusual plugin installation activities or AJAX requests targeting the 'install_plugin' action related to the Orderable plugin."}, {'type': 'paragraph', 'content': "Specifically, you can look for HTTP POST requests containing parameters like 'install_plugin' or 'plugin_data' in the WordPress AJAX endpoint (usually wp-admin/admin-ajax.php) from users with low privilege levels."}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity include:'}, {'type': 'list_item', 'content': "Using web server logs (e.g., Apache or Nginx) to search for suspicious AJAX calls: grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'install_plugin'"}, {'type': 'list_item', 'content': 'Using WordPress debug or audit logs to identify plugin installation attempts by Subscriber-level users.'}, {'type': 'list_item', 'content': 'Monitoring database entries or WordPress options related to newly installed plugins or changes in plugin activation status.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Restrict or monitor access to the Orderable plugin's AJAX endpoints, especially the 'install_plugin' action.
- Update the Orderable WordPress Restaurant Online Ordering System plugin to a version later than 1.20.0 where the missing capability check is fixed.
- Temporarily disable or remove the vulnerable plugin if an update is not immediately available.
- Audit user roles and permissions to ensure that only trusted users have Subscriber-level or higher access.
- Implement additional monitoring and alerting for unexpected plugin installations or activations.