Description
The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users
Published: 2026-03-06
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Arbitrary Option Update leading to privilege escalation
Action: Immediate Patch
AI Analysis

Impact

The PowerPack for LearnDash plugin before version 1.3.0 has an AJAX action that performs no authorization or CSRF validation, allowing any user to modify any WordPress option or create new administrator accounts. This violates the principle of least privilege and can grant an attacker full control of the site. The flaw is an authorization failure (CWE-862).

Affected Systems

WordPress sites running the PowerPack for LearnDash plugin older than 1.3.0 are affected; no other vendors or products are listed.

Risk and Exploitability

The CVSS score of 9.8 classifies this as a critical vulnerability, while the EPSS score of less than 1% suggests low current exploitation probability. Nonetheless, the absence of authentication on the AJAX endpoint makes exploitation straightforward: a remote attacker can directly send a crafted request to update options or create admin users without possessing valid credentials. The vulnerability is not listed in the KEV catalog, indicating no reported public exploits as of the latest data.

Generated by OpenCVE AI on April 17, 2026 at 12:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PowerPack for LearnDash to version 1.3.0 or later.
  • If an update is not immediately available, disable or uninstall the plugin until the patch is released.
  • Implement a web application firewall rule to block unauthenticated requests to the plugin’s AJAX endpoint, such as a mod_security rule or Cloudflare firewall rule.

Generated by OpenCVE AI on April 17, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Powerpackelements
Powerpackelements powerpack For Learndash
Wordpress
Wordpress wordpress
Vendors & Products Powerpackelements
Powerpackelements powerpack For Learndash
Wordpress
Wordpress wordpress

Fri, 06 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users
Title Powerpack for LearnDash < 1.3.0 - Unauthenticated Arbitrary Option Update
References

Subscriptions

Powerpackelements Powerpack For Learndash
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-03-06T17:46:09.631Z

Reserved: 2026-02-13T08:32:25.403Z

Link: CVE-2026-2446

cve-icon Vulnrichment

Updated: 2026-03-06T17:46:04.660Z

cve-icon NVD

Status : Deferred

Published: 2026-03-06T06:15:57.880

Modified: 2026-04-15T14:42:29.303

Link: CVE-2026-2446

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses