The WowRevenue WordPress plugin is vulnerable to a critical flaw that allows unauthorized attackers to install malicious plugins and potentially take full control of the website.

The vulnerability stems from a missing capability check in the Notice::install_activate_plugin function. This allows an attacker (potentially unauthenticated or low-privileged) to trigger the installation and activation of any plugin from the WordPress repository, which can be leveraged for site takeover.

This vulnerability is high-risk (CVSS 8.8) because it provides a direct path to remote code execution and site compromise. An attacker could install a "file manager" or "web shell" plugin to gain full access to the server, leading to data theft, site defacement, or malware distribution.

Immediate Action: Update the WowRevenue plugin to the latest version immediately or deactivate the plugin if a patch is not yet available.

Proactive Monitoring: Review the site's plugin list for any unfamiliar or unauthorized plugins and check the wp-content/plugins directory for suspicious files.

Compensating Controls: Use a security plugin to monitor for unauthorized plugin activations and restrict access to the WordPress administrative AJAX and dashboard functions.

Public Exploit Available: false

The 8.8 CVSS score indicates an urgent need for remediation. Administrators should not only update the plugin but also perform a thorough security audit of their WordPress installation to ensure no unauthorized changes have been made.