CVE-2026-2001

CVSS v3.1

8.8

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions WowRevenue plugin for WordPress versions up to and including 2.1.3

Description The WowRevenue plugin for WordPress is susceptible to unauthorized plugin installation because of a missing capability check within the

Notice::install activate plugin

function. This allows authenticated attackers with subscriber-level access or higher to install arbitrary plugins on the affected WordPress site. Successful exploitation may lead to remote code execution.

Recommendations Versions prior to and including 2.1.3 should be updated to a newer, fixed version when available. As a temporary workaround, restrict user permissions to prevent subscribers and other low-privilege users from installing plugins. Monitor plugin installations for any unauthorized activity.

Fix

RCE

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-2001

Affected Products

Wowrevenue

CVE-2026-2001

Weakness Enumeration

Related Identifiers

Affected Products

References · 9