The PowerPack for LearnDash WordPress plugin before 1.3.0 lacks authorization and CSRF checks in an AJAX action, allowing unauthenticated users to cre...
Description
The PowerPack for LearnDash WordPress plugin before 1.3.0 lacks authorization and CSRF checks in an AJAX action, allowing unauthenticated users to create admin accounts.
AI Analyst Comment
Remediation
Update WordPress plugin before to the latest version. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: 10up
PRODUCT: PowerPack for LearnDash
AFFECTED_VERSIONS: Before version 1.3.0
---END_METADATA---
Description Summary:
The PowerPack for LearnDash WordPress plugin before 1.3.0 lacks authorization and CSRF checks in an AJAX action, allowing unauthenticated users to create admin accounts.
Executive Summary:
A critical security flaw in the PowerPack for LearnDash plugin allows unauthenticated attackers to gain full administrative control of WordPress sites by manipulating AJAX actions.
Vulnerability Details
CVE-ID: CVE-2026-2446
Affected Software: PowerPack for LearnDash (WordPress plugin)
Affected Versions: Before version 1.3.0
Vulnerability: The plugin's AJAX implementation fails to perform necessary authorization and Cross-Site Request Forgery (CSRF) checks. This allows an unauthenticated attacker to update arbitrary WordPress options, such as the default user role, and create new administrative accounts without any legitimate credentials.
Business Impact
This vulnerability carries a CVSS score of 9.8, indicating a near-maximal risk level. A successful exploit results in total site takeover, allowing attackers to steal user data, deface the website, or use the server for malicious activities, causing severe reputational and operational damage.
Remediation Plan
Immediate Action: Update the PowerPack for LearnDash plugin to version 1.3.0 or higher immediately. If an update is not possible, the plugin should be deactivated and removed from the WordPress installation.
Proactive Monitoring: Audit the WordPress user list for any unauthorized administrative accounts and review the
wp_optionstable for unexpected changes to thedefault_roleorusers_can_registersettings.Compensating Controls: Use a WordPress-specific Web Application Firewall (WAF) to block suspicious AJAX requests to
admin-ajax.phpthat attempt to modify core configuration settings.Exploitation Status
Public Exploit Available: false
Analyst Notes: As of March 6, 2026, there is no public information indicating active exploitation. However, WordPress plugins with unauthenticated admin creation flaws are historically among the most actively targeted vulnerabilities by automated botnets.
Analyst Recommendation
The risk of total site compromise makes this a top-priority remediation item. Administrators must apply the version 1.3.0 update immediately and perform a thorough security audit of their WordPress environment to ensure no backdoors were established.