CVE-2026-0974: RCE in Orderable Restaurant Plugin
Platform
wordpress
Component
orderable
CVE-2026-0974 describes a critical Remote Code Execution (RCE) vulnerability within the Orderable – Restaurant & Food Ordering System plugin for WordPress. This flaw allows authenticated attackers, even those with Subscriber-level access, to install arbitrary plugins, effectively gaining control over the WordPress installation. The vulnerability affects versions of the plugin up to and including 1.20.0. A fix is available in subsequent versions.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The impact of CVE-2026-0974 is significant due to its potential for Remote Code Execution. A successful exploit allows an attacker to install malicious plugins, which can then be used to compromise the entire WordPress site. This could involve data theft, website defacement, malware distribution, or complete server takeover. The attacker only needs Subscriber-level access, making it relatively easy to exploit. The blast radius extends to all data stored on the WordPress site, including customer information, order details, and potentially database credentials. This vulnerability shares similarities with other plugin installation vulnerabilities where inadequate access controls are present.
Exploitation Context
CVE-2026-0974 was published on 2026-02-18. Its severity is rated HIGH with a CVSS score of 8.8. There is currently no indication of this vulnerability being actively exploited in the wild, nor is it listed on KEV or EPSS. Public Proof-of-Concept (POC) code is likely to emerge given the ease of exploitation and the high impact. Monitor security advisories and vulnerability databases for updates.
Threat Intelligence
Exploit Status
EPSS
0.28% (51% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-0974 is to upgrade the Orderable plugin to a version that addresses the vulnerability. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting plugin installation capabilities to only administrators. WordPress administrators can use a plugin like 'Limit Login Attempts' to further restrict access and monitor for suspicious login attempts. Regularly review installed plugins and remove any that are unnecessary or outdated. After upgrading, verify the fix by attempting to install a plugin with a Subscriber-level account – the installation should be denied.
How to fix
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Frequently asked questions
What is CVE-2026-0974 — RCE in Orderable Restaurant Plugin?
CVE-2026-0974 is a Remote Code Execution vulnerability in the Orderable plugin for WordPress, allowing authenticated attackers to install arbitrary plugins and potentially take control of the site. It has a HIGH severity rating (CVSS 8.8).
Am I affected by CVE-2026-0974 in Orderable Restaurant Plugin?
You are affected if you are using the Orderable plugin version 1.20.0 or earlier. Check your plugin version and upgrade immediately if vulnerable.
How do I fix CVE-2026-0974 in Orderable Restaurant Plugin?
Upgrade the Orderable plugin to the latest available version. If upgrading is not immediately possible, restrict plugin installation capabilities to administrators as a temporary workaround.
Is CVE-2026-0974 being actively exploited?
There is currently no public evidence of CVE-2026-0974 being actively exploited, but the ease of exploitation suggests it could become a target.
Where can I find the official Orderable advisory for CVE-2026-0974?
Refer to the Orderable plugin developer's website or the WordPress plugin repository for the latest advisory and update information regarding CVE-2026-0974.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...