This vulnerability arises from inadequate access control within the 'install_and_active_plugin' function of the WowOptin: Next-Gen Popup Maker plugin. All users with access as low as Subscriber-level can exploit this flaw, potentially installing and activating plugins without authorization. Such an action could lead to the introduction of malicious plugins, escalating to further attacks or unauthorized functionality on the site. The root cause of the vulnerability is the absence of proper user role and capability checks in the code handling plugin installations. This could compromise the entire site's security posture if exploited, as arbitrary plugins could execute any code permitted by WordPress architecture.

To mitigate this vulnerability, site administrators should restrict user privileges to the minimum necessary. Users without the need for plugin management capabilities should be demoted to roles beneath Subscriber if possible. Regularly audit user roles and permissions, and monitor for unauthorized plugin installations.