CVE-2026-0974 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin. The vulnerability stems from the absence of a capability check in the 'install_plugin' function, which is responsible for installing plugins within the WordPress environment. This missing authorization allows any authenticated user with at least Subscriber-level privileges to bypass normal restrictions and install arbitrary plugins. Since WordPress plugins can execute PHP code, this unauthorized plugin installation can lead to remote code execution (RCE), allowing attackers to execute arbitrary commands on the server hosting the WordPress site. The vulnerability affects all versions up to and including 1.20.0 of the plugin. The CVSS 3.1 base score is 8.8, indicating a high severity with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, meaning the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), no user interaction, and impacts confidentiality, integrity, and availability severely. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is particularly dangerous because Subscriber-level access is commonly granted to registered users, which may be easier for attackers to obtain or compromise compared to administrator accounts. This vulnerability can be leveraged to gain full control over the WordPress site, steal sensitive data, deface websites, or use the compromised server as a pivot point for further attacks.

For European organizations, especially those in the hospitality and food delivery sectors relying on the Orderable plugin, this vulnerability poses a significant risk. Exploitation can lead to full site compromise, data breaches involving customer information, disruption of online ordering services, and potential reputational damage. The ability for low-privilege users to escalate privileges and execute arbitrary code can also facilitate the deployment of malware, ransomware, or use the compromised infrastructure for further attacks such as phishing or cryptomining. Given the widespread adoption of WordPress across Europe and the growing reliance on online food ordering systems, the impact could be extensive, affecting both small businesses and large restaurant chains. Additionally, GDPR compliance risks arise if customer data confidentiality is breached. The disruption of availability could lead to loss of revenue and customer trust, particularly in competitive markets.

Organizations should immediately audit user roles and permissions within their WordPress installations to ensure that Subscriber-level users do not have unintended elevated privileges. Until an official patch is released, consider disabling or restricting access to the Orderable plugin's plugin installation functionality via custom code or security plugins that enforce capability checks. Monitoring for unusual plugin installations or changes in the WordPress environment is critical. Employ Web Application Firewalls (WAFs) with rules to detect and block attempts to exploit this vulnerability. Regularly update WordPress core, themes, and plugins, and subscribe to vendor advisories for timely patch releases. Implement multi-factor authentication (MFA) to reduce the risk of account compromise. Conduct penetration testing focusing on privilege escalation vectors. Finally, maintain offline backups of website data and configurations to enable rapid recovery in case of compromise.