PT-2026-23651 · WordPress · Powerpack For Learndash
Khaled Alenazi
·
Published
2026-03-06
·
Updated
2026-03-17
·
CVE-2026-2446
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
PowerPack for LearnDash WordPress plugin versions prior to 1.3.0
Description
The PowerPack for LearnDash WordPress plugin lacks authorization and Cross-Site Request Forgery (CSRF) checks in an AJAX action. This allows unauthenticated users to modify arbitrary WordPress options, such as
default role, and create new administrator users.Recommendations
Update the PowerPack for LearnDash WordPress plugin to version 1.3.0 or later.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Powerpack For Learndash