CVE-2026-0974
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
The Orderable - WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'install_plugin' function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins, which can lead to Remote Code Execution.
Analysis
The Orderable WordPress plugin through version 1.20.0 fails to properly verify user permissions on plugin installation functions, enabling authenticated subscribers to install malicious plugins and achieve remote code execution. An attacker with minimal WordPress account privileges can exploit this capability check bypass to gain full server compromise without administrator credentials. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all WordPress installations for Orderable plugin presence and version; disable the plugin if running vulnerable versions and document business impact. Within 7 days: Contact plugin vendor for patch timeline; implement compensating controls listed below; review access logs for suspicious plugin installation activity. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today