CVE-2026-0974 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin. The flaw arises because the 'install_plugin' function lacks proper capability checks, allowing any authenticated user with at least Subscriber-level privileges to install arbitrary plugins. This bypasses the intended authorization controls that should restrict plugin installation to administrators or trusted roles. Since WordPress plugins can execute PHP code, this vulnerability can lead to remote code execution (RCE), enabling attackers to take full control of the affected WordPress site. The vulnerability affects all versions up to and including 1.20.0 of the plugin. The CVSS v3.1 base score is 8.8, indicating a high severity with network attack vector, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability's nature makes it a prime target for attackers seeking to compromise WordPress sites running this plugin. The vulnerability was publicly disclosed in February 2026, with the initial reservation in January 2026. The plugin is widely used in the restaurant and food ordering sector on WordPress, making affected sites attractive targets for attackers aiming to disrupt services or steal sensitive data.

The vulnerability allows attackers with minimal privileges (Subscriber-level) to escalate their access by installing arbitrary plugins, which can contain malicious code. This can lead to full remote code execution on the WordPress server, compromising the confidentiality, integrity, and availability of the affected system. Attackers could deface websites, steal customer data, inject malware, or use the compromised server as a foothold for further network attacks. For organizations relying on the Orderable plugin for online food ordering, this could result in significant operational disruption, reputational damage, and regulatory consequences if customer data is exposed. The ease of exploitation and the broad impact on core system security components make this a critical risk. Additionally, since the vulnerability requires only authenticated access at a low privilege level, it increases the attack surface, especially in environments where user accounts are not tightly controlled or where subscriber accounts are easily created or compromised.

1. Immediately restrict Subscriber-level and other low-privilege user accounts from accessing plugin installation functionalities by applying custom capability restrictions or using security plugins that enforce role-based access control. 2. Monitor WordPress sites for unauthorized plugin installations or changes in plugin files using file integrity monitoring tools. 3. Apply patches or updates from the plugin vendor as soon as they become available to fix the missing authorization check. 4. Harden WordPress installations by limiting the number of users with authenticated access and enforcing strong authentication mechanisms such as multi-factor authentication. 5. Regularly audit user roles and permissions to ensure no unnecessary privileges are granted. 6. Employ web application firewalls (WAFs) that can detect and block suspicious plugin installation attempts. 7. Backup WordPress sites frequently to enable quick recovery in case of compromise. 8. Educate site administrators about the risks of installing untrusted plugins and the importance of timely updates. 9. Consider isolating critical WordPress instances or using containerization to limit the blast radius of a potential compromise.