CVE-2026-2001

High

Published: 16 February 2026

Published

16 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0032 55.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and…

above, to install arbitrary plugins on the affected site's server which may make remote code execution possible.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to system resources, directly mitigating the missing capability check that allows unauthorized plugin installation.

AC-6 Least Privilege good match

prevent

AC-6 applies least privilege to restrict subscriber-level users from performing administrative actions like plugin installation.

CM-11 User-installed Software good match

prevent

CM-11 prohibits or restricts user-installed software, preventing low-privilege attackers from installing arbitrary plugins.

Security SummaryAI

CVE-2026-2001 is a vulnerability in the WowRevenue plugin for WordPress, affecting all versions up to and including 2.1.3. It stems from a missing capability check in the 'Notice::install_activate_plugin' function, enabling unauthorized plugin installation. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-862 (Missing Authorization).

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By calling the vulnerable function, they can install arbitrary plugins on the target WordPress site, which may enable remote code execution depending on the plugins installed.

References include the plugin's source code at line 909 of class-notice.php in version 2.1.3 (https://plugins.trac.wordpress.org/browser/revenue/tags/2.1.3/includes/notice/class-notice.php#L909) and Wordfence threat intelligence (https://www.wordfence.com/threat-intel/vulnerabilities/id/6d881f00-5985-45d5-9aab-d143a010d739?source=cve), which security practitioners should review for additional details on detection and remediation.

Details

CWE(s): CWE-862

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing WordPress plugin allows low-privileged authenticated users to install arbitrary plugins, enabling exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068) to achieve RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/revenue/tags/2.1.3/includes/notice/class-notice.php#L909
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/6d881f00-5985-45d5-9aab-d143a010d739?source=cve
security@wordfence.com