WowRevenue

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible.

AI Analysis

Missing capability check allows authenticated attackers to install arbitrary plugins

Basic Information

ID CVE-2026-2001

Source Wordfence

Published Feb 16, 2026 at 19:24

Affected Product

Vendor wpxpo

Product WowRevenue – Product Bundles & Bulk Discounts

Version *

Affected Versions wpxpo WowRevenue – Product Bundles & Bulk Discounts *

CWE Classification

CWE-862

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor wpxpo

Product WowRevenue

Version 2.1.3

References

{
    "lastseen": "",
    "description": "The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible.",
    "published": "2026-02-16T19:24:03.102Z",
    "modified": "2026-02-16T19:24:03.102Z",
    "type": "cve",
    "title": "WowRevenue <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d881f00-5985-45d5-9aab-d143a010d739?source=cve\nhttps://plugins.trac.wordpress.org/browser/revenue/tags/2.1.3/includes/notice/class-notice.php#L909",
    "id": "CVE-2026-2001",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "wpxpo WowRevenue \u2013 Product Bundles & Bulk Discounts *",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WowRevenue \u2013 Product Bundles & Bulk Discounts",
    "version": "*",
    "vendor": "wpxpo",
    "ai_description": "Missing capability check allows authenticated attackers to install arbitrary plugins",
    "ai_severity": "High",
    "ai_vendor": "wpxpo",
    "ai_product": "WowRevenue",
    "ai_version": "2.1.3",
    "ai_score": 8.8
}

WowRevenue <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation_CVE-2026-2001