{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2001", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-05T17:25:44.508Z", "datePublished": "2026-02-16T19:24:03.102Z", "dateUpdated": "2026-04-08T16:59:28.521Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:28.521Z"}, "affected": [{"vendor": "wpxpo", "product": "WowRevenue \u2013 Product Bundles & Bulk Discounts", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible."}], "title": "WowRevenue <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d881f00-5985-45d5-9aab-d143a010d739?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/revenue/tags/2.1.3/includes/notice/class-notice.php#L909"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2026-02-08T06:50:05.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-16T07:19:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T14:41:20.990748Z", "id": "CVE-2026-2001", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:42:45.233Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2001", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-17T14:41:20.990748Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:42:04.038Z"}}], "cna": {"title": "WowRevenue <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation", "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "wpxpo", "product": "WowRevenue \u2013 Product Bundles & Bulk Discounts", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-08T06:50:05.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-16T07:19:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d881f00-5985-45d5-9aab-d143a010d739?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/revenue/tags/2.1.3/includes/notice/class-notice.php#L909"}], "descriptions": [{"lang": "en", "value": "The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-16T19:24:03.102Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2001", "state": "PUBLISHED", "dateUpdated": "2026-02-17T14:42:45.233Z", "dateReserved": "2026-02-05T17:25:44.508Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-16T19:24:03.102Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El plugin WowRevenue para WordPress es vulnerable a la instalaci\u00f3n no autorizada de plugins debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n 'Notice::install_activate_plugin' en todas las versiones hasta la 2.1.3, inclusive. Esto permite a atacantes autenticados, con acceso de nivel de suscriptor y superior, instalar plugins arbitrarios en el servidor del sitio afectado, lo que podr\u00eda posibilitar la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2026-2001", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-16T20:19:36.190", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/revenue/tags/2.1.3/includes/notice/class-notice.php#L909"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d881f00-5985-45d5-9aab-d143a010d739?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.3]"}}], "product": "wowrevenue_\u2013_product_bundles_&_bulk_discounts", "vendor": "wpxpo"}], "analysis": {"en": {"generated_at": "2026-04-15T18:21:53.464555+00:00", "value": {"mitigation_remediation": ["Upgrade the WowRevenue plugin to the newest version that includes the missing capability check in the installation function.", "If a patch is not immediately available, remove or disable the plugin\u2019s capability to install other plugins for subscriber-level accounts, for example by editing the plugin file to block the install_activate_plugin call for non\u2011administrator roles.", "Audit all user accounts with subscriber-level access and reduce privileges where possible, ensuring that only trusted users have permission to add plugins."], "summary": {"action": "Immediate patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Vendor: wpxpo \u2013 WowRevenue \u2013 Product Bundles & Bulk Discounts. The plugin version 2.1.3 and earlier are affected. Users employing this plugin on any WordPress installation are potentially vulnerable until a patch or later release is applied.", "description_and_impact": "The WowRevenue plugin for WordPress contains a missing capability check in the Notice::install_activate_plugin function that allows authenticated users with subscriber-level access to install arbitrary plugins. This flaw is a classic missing authorization issue (CWE-862). An attacker who can log in as a subscriber can use the publish\u2011edit interface to activate a malicious plugin, which may contain code that can be executed on the server, thereby compromising confidentiality, integrity, and availability of the site.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% denotes a very low exploitation probability at the time of analysis. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog, suggesting no publicly known exploits yet. The likely attack path involves authenticating as a subscriber, invoking the vulnerable installation routine, and enrolling a malicious plugin that can execute arbitrary code on the server."}}}}, "created": "2026-02-17T08:49:01.393424+00:00", "updated": "2026-04-15T18:30:10.940117+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpxpo", "wpxpo$PRODUCT$wowrevenue_\u2013_product_bundles_&_bulk_discounts"]}