Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
WowRevenue Plugin Allows Untrusted Users to Install Malicious Plugins on WordPress Sites
CVE-2026-2001
Summary
The WowRevenue plugin for WordPress has a security flaw that allows users with limited access to install unauthorized plugins on a site, potentially allowing malicious code to be executed. This is a problem because it could give attackers control of the site. To fix this, update the plugin to version 2.1.4 or later.
Original title
The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and ...
Original description
The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible.
nvd CVSS3.1
8.8
Vulnerability type
CWE-862
Missing Authorization
Published: 16 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026