CVE-2026-2446
Received Received - Intake
Authorization Bypass and CSRF in PowerPack for LearnDash Plugin

Publication date: 2026-03-06

Last updated on: 2026-03-06

Assigner: WPScan

Description
The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2446
EUVD
EUVD-2026-10002
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
learndash powerpack to 1.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2446 affects the PowerPack for LearnDash WordPress plugin versions prior to 1.3.0. The vulnerability exists because the plugin does not implement proper authorization and CSRF (Cross-Site Request Forgery) checks in an AJAX action called learndash_save_class_data_ajax.

This flaw allows unauthenticated users to send specially crafted requests to the WordPress AJAX handler, enabling them to update arbitrary WordPress options such as default_role. By exploiting this, attackers can create arbitrary admin users without needing to authenticate.

Impact Analysis

The vulnerability can have severe impacts including unauthorized privilege escalation. Attackers can create admin users on your WordPress site without authentication, giving them full control over the site.

They can also modify critical WordPress options such as the default user role, potentially allowing further unauthorized registrations and access.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the WordPress AJAX handler endpoint `wp-admin/admin-ajax.php` that include the parameter `action=learndash_save_class_data_ajax`.'}, {'type': 'paragraph', 'content': 'Specifically, look for requests that attempt to modify the `class_name` parameter to `users_can_register` or other critical WordPress options via the `formData` parameter.'}, {'type': 'paragraph', 'content': 'A sample command to detect such attempts using command-line tools like curl or network monitoring tools could be:'}, {'type': 'list_item', 'content': "Using grep on web server logs to find suspicious POST requests: `grep 'action=learndash_save_class_data_ajax' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': 'Using tcpdump or Wireshark to filter HTTP POST requests to `admin-ajax.php` containing the vulnerable action parameter.'}, {'type': 'list_item', 'content': "Using curl to test the vulnerability (for detection purposes only):\n`curl -X POST https://example.com/wp-admin/admin-ajax.php -d 'action=learndash_save_class_data_ajax&class_name=users_can_register&formData=1'`"}] [1]

Mitigation Strategies

The immediate mitigation step is to update the PowerPack for LearnDash WordPress plugin to version 1.3.0 or later, where this vulnerability has been fixed.

Until the update can be applied, restrict access to the `wp-admin/admin-ajax.php` endpoint or implement web application firewall (WAF) rules to block POST requests containing the parameter `action=learndash_save_class_data_ajax`.

Additionally, review and monitor WordPress user roles and options for unauthorized changes, especially the `default_role` setting and the presence of unexpected admin users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2446. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart