CVE-2026-2001
published 2026-02-16CVE-2026-2001: The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.38%
29.6th percentile
The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpxpo | wowrevenue_product_bundles_bulk_discounts | <= 2.1.3 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-2001 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2001 [CRITICAL] CVE-2026-2001 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2001 :
WordPress vulnerability analysis and mitigation
The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible.
Source : NVD
## 8.8
Score
Published February 16, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 51
Exploitation Probability (EPSS) 0.3
Affected pa
Bugzilla
CVE-2026-31696 kernel: rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
bugzilla·2026-05-01
CVE-2026-31696 [LOW] CVE-2026-31696 kernel: rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
CVE-2026-31696 kernel: rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
In rxrpc_preparse(), there are two paths for parsing key payloads: the
XDR path (for large payloads) and the non-XDR path (for payloads <= 28
bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly
validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR
path fails to do so.
This allows an unprivileged user to provide a very large ticket length.
When this key is later read via rxrpc_read(), the total
token size (toksize) calculation results in a value that exceeds
AFSTOKEN_LENGTH_MAX, triggering a WARN_ON().
[ 2001.302904] WARNING
2026-02-16
Published