Attack Vectors

CVE-2026-0974 is a High-severity vulnerability (CVSS 8.8) affecting Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin (slug: orderable) in versions up to and including 1.20.0. The core risk is that an attacker only needs a valid login with Subscriber-level access (or higher) to abuse the issue.

Because this can be exploited over the network with low complexity and no user interaction, organizations should treat any exposed WordPress login (including customer, member, or staff accounts) as a potential entry point—especially if accounts are shared, weakly protected, or not regularly reviewed.

Security Weakness

The vulnerability is caused by a missing authorization (capability) check on the plugin’s install_plugin function. In practical terms, this means the plugin may allow authenticated users who should not have software-management privileges to install arbitrary WordPress plugins.

Unauthorized plugin installation is a critical control failure because plugins can change site behavior, introduce backdoors, or enable additional compromise paths. According to the published details, this weakness can ultimately lead to Remote Code Execution—a scenario where an attacker can run malicious code on the website and potentially take full control.

Technical or Business Impacts

Business risk: A successful attack can turn a marketing website or online ordering experience into a liability. Impacts may include payment and customer-data exposure, site defacement, SEO spam that damages brand credibility, and service disruption during peak ordering hours. For organizations with compliance obligations, this can trigger incident response, legal review, customer notifications, and added audit scrutiny.

Operational risk: Because the attacker only needs a basic authenticated account, the threat extends beyond administrators to any workflow that creates logins (loyalty programs, customer accounts, staff accounts, vendor access, internships, and agencies). This expands the attack surface and increases the likelihood of compromise through credential reuse, phishing, or leaked passwords.

What to do now: There is no known patch available at the time of reporting. Based on your risk tolerance, it may be best to uninstall the affected Orderable plugin and replace it with an alternative. If removal is not immediately feasible, consider compensating controls such as minimizing Subscriber accounts, enforcing strong authentication (including MFA where possible), tightly controlling who can register/log in, monitoring for unexpected plugin installations, and increasing alerting around admin-level changes.

Similar Attacks

WordPress plugin vulnerabilities have repeatedly been used for site takeover, malware distribution, and business disruption. For context, here are a few well-documented examples:

CVE-2020-25213 (File Manager plugin) — widely exploited remote code execution

CVE-2021-29447 (WordPress Core) — media handling flaw used to compromise sites

CVE-2023-2732 (Essential Addons for Elementor) — privilege escalation enabling site takeover