The WowOptin plugin contains a missing capability check in its 'install_and_active_plugin' function. This flaw enables any authenticated user with Subscriber-level access or higher to install and activate arbitrary plugins on the WordPress site. With the ability to install plugins, an attacker can introduce malicious code, backdoors, or further compromise website functionality, leading to potential data exfiltration, defacement, or full site takeover. The vulnerability is classified as CWE‑862, reflecting an authorization error.

All versions of WowOptin up to and including 1.4.24 are affected. The plugin is a WordPress add‑on developed by wpxpo. Because the vulnerability relies on the built‑in WordPress role hierarchy, any WordPress installation that has the plugin installed and allows Subscribers or higher to access the admin area is impacted.

The CVSS score of 8.8 indicates high severity. Exploitation requires only a user account with Subscriber privileges or better; no external network access or complex preconditions are needed. Although the EPSS score is below 1%, the attack remains realistic given the commonplace distribution of the plugin. The vulnerability is not yet listed in the CISA KEV catalog, but the missing authorization represents a critical control gap. An attacker exploiting this flaw can immediately load arbitrary code via the plugin installation interface, without needing to compromise the server root or exploit additional vulnerabilities.