Cyber Posture

CVE-2026-2446

Critical

Published: 06 March 2026

Published
06 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources, directly preventing unauthenticated exploitation of the AJAX action lacking authorization checks to update WordPress options and create admin users.

SC-14 Public Access Protections good match
prevent

Mandates identification and authentication or equivalent protections for publicly accessible interfaces, blocking remote unauthenticated access to the vulnerable plugin AJAX endpoint.

SC-23 Session Authenticity partial match
prevent

Protects communications session authenticity to mitigate missing CSRF checks that could allow forged requests to the AJAX action even if basic access controls are present.

Security SummaryAI

CVE-2026-2446, published on 2026-03-06, affects the PowerPack for LearnDash WordPress plugin in versions before 1.3.0. The vulnerability arises from missing authorization and CSRF checks in an AJAX action, classified under CWE-862 (Missing Authorization). It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to high confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed AJAX endpoint, they can update arbitrary WordPress options, such as default_role, and create arbitrary admin users, enabling full administrative control over the affected site.

The WPScan advisory at https://wpscan.com/vulnerability/cbc95cea-e5d4-4874-add6-c8c728b683b7/ details the issue, with mitigation achieved by updating the PowerPack for LearnDash plugin to version 1.3.0 or later.

Details

CWE(s)
CWE-862

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
attack.mitre.org →
Why these techniques?

Unauthenticated remote exploitation of a public-facing WordPress plugin AJAX endpoint (T1190) allows updating arbitrary options and creating arbitrary admin users (T1136.001), granting full site control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References