CVE-2026-2001

Name of the Vulnerable Software and Affected Versions WowRevenue plugin for WordPress versions up to and including 2.1.3

Description The WowRevenue plugin for WordPress is susceptible to unauthorized plugin installation because of a missing capability check within the Notice::install activate plugin function. This allows authenticated attackers with subscriber-level access or higher to install arbitrary plugins on the affected WordPress site. Successful exploitation may lead to remote code execution.

Recommendations Versions prior to and including 2.1.3 should be updated to a newer, fixed version when available. As a temporary workaround, restrict user permissions to prevent subscribers and other low-privilege users from installing plugins. Monitor plugin installations for any unauthorized activity.