CVE-2026-0974 HIGH

CVE-2026-0974: Orderable <= 1.20.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

Vendor Orderable
Product Orderable – Restaurant & Food Ordering System
Weakness CWE-862 · Missing authorization
Published February 19, 2026
Last update May 19, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'install_plugin' function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins, which can lead to Remote Code Execution.

Explanation of Vulnerability in Simple Terms

02Summary

Orderable – Restaurant & Food Ordering System versions 1.20.0 and earlier lack proper authorization checks, allowing authenticated users to read, modify, or delete data they should not access. An attacker with a low-privilege account can escalate their capabilities to perform actions reserved for administrators or other users. This affects confidentiality, integrity, and availability of restaurant and order data.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete restaurant orders and data belonging to other users or administrators.

Potential impact on your site

04Site Impact

Restaurant data, customer orders, and sensitive business information can be compromised by any authenticated user.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account on the system.

Key dates

06Disclosure timeline

February 19, 2026 CVE published
May 19, 2026 Record updated